[infobox style=’info’ static=’1′]Challenge Link: https://www.hacking-lab.com
Date Completed: June 2016[/infobox]
The Got Wurzel is a challenge posted by Hacking-Lab in their free security challenges area. The challenge is all about connecting SSH to gotwurzel.hacking-lab.com with username = restricted1 with password restricted1 and finally getting root access from a restricted unprivillaged account and reading /root/secret.txt
The one important thing to keep in mind is that the servers will be reverting to a snapshot every 1x/h, so there is chance of getting logged out of the server. I used my own setup of Kali Linux for completing this challenge. Initially I fired up the openvpn and connect to Hacking-Lab using the VPN configuration they provided. The SSH to particular hostname will work only after establishing successful VPN connection.
So from the initial stages of exploration I came to know we were provided with a restricted bash shell. In the previous case (7002 Linux Security: Got Root) the restriction were removed as the .bashrc were writable. In this case I ran
Found bin directory with file named ‘ping’. Which is writable by the user just like shown below.
-rw-r--r-- 1 restricted1 users 13 2011-10-28 15:42 ping
So I planned to use Echo and Tee commands to alter contents of the ping file.
echo '#!/bin/bash' | Tee './bin/ping'
echo '/bin/bash' | Tee -a './bin/ping'
The second command appends the code to the same ‘ping’ file already altered by the first. And now my ping command will spawn a shell which is unrestricted, that doesn’t mean its a root but It can commands like cat, cd etc.
The very next step is to root, for that I took chances of finding writable files. The find command were used for the same.
find / -perm -0002 -type f -print
This made me into a conclusion that the system has a file ‘mtr’ with full path /usr/bin/mtr executed every minute. This was done by cron program. As from the results of find command I concluded /usr/bin/mtr was not writable but it calls another file /usr/bin/mtr-check which is writable. Since this program mtr resides on /etc/cron.minutely/ It will be executed every minute. Then the decision was to write code into mtr-check so that the root shell will be copied into the user’s home directory.
Since we have purged the restrictions we can now use nano editor to edit any files with enough permission. As the mtr-check were writable I nano-ed and added following code.
cp /bin/sh /home/restricted1/rtbash/ && chmod 4755 /home/restricted1/rtbash
This will copy original system shell to a rtbash and makes it executable. I waited a minute, had brak and came back to ls the user’s home directory and found that new file called ‘rtbash’ there. On running the same provide me a root shell. Thus the system is pwned and retrieved the contents of the /root/secret using cat command.
TEAM GOTWURZEL ID: GOTWURZEL ____________________________________________________________ Je unschuldiger ein Mädchen ist, desto weniger weiss sie von den Methoden der Verführung. Bevor sie Zeit hat nachzu- denken, zieht Begehren sie an, Neugier noch mehr und Gelegen- heit macht den Rest... (Casanova) WE LOVE YOU E1