jng | tribbletron
jng | tribbletron
  • About
  • CTFs
    • Target x WiCyS CTF 2024
      • D2 Look for Insider Threats
      • D8 YARA Analysis
      • O3 Constructing your Phish
      • O7 Bypass the EDR
      • O8 Performing an Exfil of a Filesystem
      • O9.1 Escalate your Privileges
    • US CyberGames IV 2024
      • USCG IV: Forensics
      • USCG IV: Web
    • DoD Cyber Sentinel 2024
    • Amazon x WiCyS CTF 2023
    • PicoCTF.org
      • PicoCTF 2024
      • PicoCTF 2023
  • Links
    • Readings
  • Tools
  • Notes
    • To Burp or Not to Burp
    • Common issues
    • Rankings
Powered by GitBook
On this page
  1. CTFs
  2. Target x WiCyS CTF 2024

O9.1 Escalate your Privileges

Last updated 8 months ago

Things are going well - you've gained initial access to another host on The Lucky Lion's network, but you have limited access with your current privileges. Let's open up a terminal and see if you can change that.

One of the easiest ways to run a command that you don't have permission to execute is to find a file that DOES have the right permissions and have it execute your command for you, all you have to do is find the right file!

Flag Format The file's name in name.extension format (e.g.: example.txt). You don't need to include the path.

Objectives

  • Using the NARSH (Not A Real Shell) emulator, find a file with world writable permissions that executes as root.

Tools Required

  • Web browser

Additional Resources

Solution: Target created a fake bash shell that they call NARSH ("Not A Real SHell") and want us to find the file with the "world writable permissions". The first step is to enumerate the target. I took notes of each directory and what files were in them: bin: file: narsh r-x

usr: \bin \sbin usr\bin\ files: none usr\sbin\nologin r-x

var: \backups \spool \softhr var\backups\ files: none var\spool\cron\crontabs\ files: root and narsh var\softhr\logs\softhr.log

etc: \passwd \shadow \fstab (these are files not directories)

root: \ files: none

tmp: \ files: none

home: \narsh home\narsh\ Desktop, Documents, Downloads, Music, Pictures, Public, Videos home\narsh\Documents\readme.txt (when you cat it, it says "Good luck!")

scripts: and every file in \scripts says the following when you cat it:

#!/bin/narsh

cp /bin/narsh /tmp && chmod +s /tmp/narsh

It seems I should focus my attention on /scripts. But there's so many! How do I search them all? Especially when the fake shell doesn't have any search commands. (The fake shell also can't do cp or mv or chmod +s, though it lets you do chmod, mkdir, and ls.) I decided to copy-and-paste the output from the shell, create a text file of it in my Kali VM, so I can run "grep rw.rw.rw". But there's way more than one! You could try to submit each one, but that seems like the wrong approach. The correct one is among them, and I highlighted it:

Later, I also realize that the correct script is mentioned in the crontabs folder running as the cron job "root":

Flag: yydUpQ.sh

MITRE ATT&CK
RED HAT
LINUX FOUNDATIONS
https://target-httpd.chals.io/shell/privesc.html