Forum Discussion
help with A Christmas Catastrophe: A Letter to Santa
I am in the scalation privileges part.
Tried to create a symlink to /root/root.txt and to /root in /etc/letters/ waiting cron /etc/chmod.sh takes ownership with chmod 666 instruction and then extract token, but doesn't work
Any help? Is there something missing?
5 Replies
- autom8on
Advocate
When we did the lab, although we had to do some web-fu to get the initial foothold, once we were on the box (with meterpreter), we found a local vulnerability that could be popped to priv esc up to root and grab the token. We didn't do anything clever with the cron stuff. I have no idea if this is how they intended you to do the lab, or if we missed something clever.
One minor headache though - sometimes metasploit's local_exploit_suggester script reported that the vuln was there, sometimes it did not.
Good luck! :-)
I was following this hint. So nothing that I see with metasploit.
A Letter to Santa | Immersive Community - 2696
An there speaks about SSI and use crontab chmod.sh script.- netcat
If I understand you correctly: You creating a symlink to /root/root.txt, and then you try to read that file using that symlink, as normal user. This will not work.
Your goal is not to create a symlink, but the token. That said, there are much easier ways (using the crontab method) to read the token.
The token is in /root/root.txt where I can't access even via SSI in the web form
So, as the other chat says, I create a symlink and as the crontab runs it asigns via chmod permissions to be read.Then I expect to finth the token in the file root.txt
Give me another hint is you know.All this staff comes from this hint:
"The chmod.sh script is only running for files in /etc/letters. If you create a symbolic link in that folder to any file on the system, the chmod command will be performed on that file. I initially oly created a symlink to /root/root.txt, but you also need to create a symlink to /root (or any other root owned file e.g. /etc/passwd, /etc/shadow)
https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
That article explains the vulnerability quite well"- netcat
Now I remember, when I did the lab I was at that point, too - and it didn't work as I expected.
Two hints:
The script is executed as root by the cron job, that's a fact. Right track.
The script didn't do what I expected it to do, I'd say it is bugged.
