Walkthrough of the Capstone challenge which is the last task in the Linux privilege escalation room.
Prelude
This piece is the continuation of the Linux Privilege Escalation room as that was just quite an extensive one so I’ve decided to put the challenge part into a separate article. We investigated a lot of aspects of privilege escalation vectors there, so now it’s high time to get the skills gathered tested.
Enumeration
Let’s start with some basic commands in our SSH session to get some more information about the victim. We can see that Leonard has no sudo rights at all unfortunately, so we cannot really get some help uploading Linpeas as we could not run it anyways. Let’s turn to SUID files then as that might be an easiest way of escalation.
We can see a lot, but let’s just start with the very first one on the top, shall we. Upon visiting GTFOBins we can see that all we have to do is just initiating a couple of commands in our existing shell and hope for the best.
As per the description we do not have to put in the first line as base64 binary is there already. Executing the rest of the commands we are able to gather the password hashes from the shadow file. There are two interesting ones, “missy” and “root”.
Unfortunately, we only manage to crack missy’s hash in a reasonable timeframe.
Let’s login as missy and answer some questions.
What is the content of the flag1.txt file?
Now, let’s just check whether missy has broader sudo rights by any chance. Well, it shows that she’s able to run the “find” binary with root privileges. Upon checking the potential break-out possibilities of that in GTFOBins, we find a oneliner which would spawn us a root shell.
Executing that command and upgrading the returning root shell to a fully interactive one we are clearly in a position to answer the final question of this section as well.
What is the content of the flag2.txt file?
Thanks for reading and as always, any feedback is most welcome.