Permissions Matter!
overview
The admin was tasked to create a replica of an existing Linux system. He copied the entire filesystem to his computer, made modifications to some files and then copied it onto the newly provisioned system. Unfortunately, in his haste to set the new system up, he forgot to take care of permission sets.
tasks
Lab Environment
In this lab environment, you will be provided with GUI access to a Kali machine. A terminal access to the target machine is provided at target.ine.local:8000, which you can access over the browser in Kali.
Objective: Your mission is to get a root shell on the box and retrieve the flag!
Tools
The best tools for this lab are:
Nmap
Browser(Firefox)
Solutions
Step 1: Access the Kali Machine
Step 2: Check Target Reachability
Command:
The target is reachable.
Step 3: Access the Exposed Service
Open a browser and navigate to the following URL to explore the service running on port 8000:
[http://target.ine.local:8000]
You should now see the Linux terminal interface running, confirming that the service is live and accessible.
Step 4: The following command will look for files (and not symlinks etc) that are writable.
Command:
Step 5: Observe from the result that /etc/shadow is world writable.Verify the same and also check its contents.
Commands:
Step 6: Observe that the root password is not set. Adding a known password in the shadow file can escalate to root. Use openssl to generate a password entry.
Command:
Step 7: Copy the generated entry and add it to the root record in /etc/shadow
Command:
Step 8: After making the changes, try to switch to the root user.
Command:
Enter password: password
Step 9: Once the escalation to root is complete, retrieve the flag located in /root directory.
Commands:
Flag: e62ab67ddff744d60cbb6232feaefc4d
Last updated