Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Locker Walkthrough (privilege escalation through sulogin)

Machines can be download here. Easy but also interesting one.


Nmap scan ports, only 80 is open.

图片.png


Open main page, very simple.

图片.png


Check source code, found locker.php.

图片.png


Click "Model 1", then redirect to locker.php and display a picture.

图片.png

Obviously, the number "1" for param "image" is part of filename, because if we change it to 2 or 3, we will see different pictures.

图片.png


At first, I think maybe it is LFI. After some check, I found it is a RCE.

图片.png


Then we can get reverse shell.

图片.png


Check SUID binary, we can find an interesting file.

图片.png


In fact, I enum a lot in the machines, but found no other ways to privilege escalation. So we have to use sulogin.

First, if we execute sulogin directly, we can only get a shell with no root privilege.

图片.png


Then check the man page of sulogin, we find a key env variable "SUSHELL".

ENVIRONMENT                                                                                                          
       sulogin looks for the environment variable SUSHELL or sushell to determine what shell to start.  If the envi‐ 
       ronment variable is not set, it will try to execute root's shell from /etc/passwd.  If that  fails,  it  will 
       fall back to /bin/sh.

                                                                              
Code a fake shell in C:

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void){
setuid(0);
setgid(0);
system("/bin/bash");
}

Compile it.

gcc -o exp exp.c

Upload it to /tmp in VM, chmod +x, then change SUSHELL environment variable.

图片.png


Then run sulogin again, and we get ROOT!

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0