Forum Discussion

jcberlan's avatar
jcberlan
Bronze II
4 months ago

help with A Christmas Catastrophe: A Letter to Santa

I am in the scalation privileges part.  Tried to create a symlink to /root/root.txt and to /root  in /etc/letters/ waiting cron /etc/chmod.sh takes ownership with chmod 666 instruction and then extr...
help & support
questions & feedback
tips & tricks
jcberlan's avatar
jcberlan
Bronze II
2 months ago

The token is in /root/root.txt where I can't access even via SSI in the web form
So, as the other chat says, I create a symlink and as the crontab runs it asigns via chmod permissions to be read.Then I expect to finth the token in the file root.txt


Give me another hint is you know.

 

All this staff comes from this hint:

"The chmod.sh script is only running for files in /etc/letters. If you create a symbolic link in that folder to any file on the system, the chmod command will be performed on that file. I initially oly created a symlink to /root/root.txt, but you also need to create a symlink to /root (or any other root owned file e.g. /etc/passwd, /etc/shadow)

https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
That article explains the vulnerability quite well"