[infobox style=’info’ static=’1′]Challenge Link: https://www.hacking-lab.com
Date Completed: May 2016[/infobox]
The goal of the challenge is to disclose the content of /root/secret.txt on server gotroot.hacking-lab.com. For that they have given the SSH credentials to connect to the server. But the given credentials are that of a limited user who has a restricted access.
From the initial information gathering process I found the following
- We have provided with a restricted bash (rbash shell), so no cd or / etc
- only few commands are available and are in /home/<username>/bin
- The text file is in root folder, so need root access to read it.
As a trial and error method I started for all files which reside in that system. The command
provided me with following result and it shows that .bashrc file was writable. We know .bashrc stores information about the bash execution engine.
-rw-r--r-- 1 restricted users 23 2016-05-15 05:38 .bashrc/As for exploiting, I found that we can use Tee and Echo commands to write the data.
echo 'export SHELL=/bin/bash' | tee '/home/restricted/.bashrc'
The next step is to execute the logout of command, Let the changes be applied to user and relogin. But it will not make fully unrestricted but we can access python, perl and C. Execute the shell using perl system command.
perl -e 'exec "/bin/bash";'
Which makes us free to use any commands.
Next target is get root on the system. Find all the files and its versions, which made me realise that the located glibc is outdated and vulnerable to Privilege Escalation vulnerability CVE-2010-3856. I searched for same kind of exploit code in the exploit-db.com. Found the code created a file in /tmp as its writable and executed the exploit code. That's called success, we got a shell with root. Now cat
TEAM X GOTROOT
The security problem helped in pwning this system was the outdated glibc library file and also the .bashrc file with wrong permission. But before all this enumeration is the key to pwn.