Forum Discussion

jamesstammers's avatar
jamesstammers
Icon for Bronze III rankBronze III
22 days ago
Solved

A Letter to Santa

Hello everyone, 

Wrong time of year, I know.. 

I've been having a go at the Christmas challenge collection and stuck on "A letter to Santa". I've managed to get code execution as user but struggling with the priv esc. 

I've found the cron job which runs chmod 600 * as root in /etc/letters. Is it possible to use chmod to priv esc? 

I've tried creating a file called '--reference=file' and created another file called 'file' with 7777 privileges - resulting in anything in directory having suid bit set. Tried copying bash and creating a symlink, but with no luck. 

Am I going down a massive rabbit hole with this? Or missing some obvious plain text creds somewhere 😂

 

  • Oh nevermind, I solved it :) didn't realise I needed to change permissions of the root folder, not just the file within it. Definitely learnt something new from this lab! 

4 Replies

  • Oh nevermind, I solved it :) didn't realise I needed to change permissions of the root folder, not just the file within it. Definitely learnt something new from this lab! 

    • LewisMutton's avatar
      LewisMutton
      Icon for Bronze II rankBronze II

      jamesstammers​ do you have any further hints for how you went about changing permissions of the root folder? For something quite simple it's proving difficult

      • jamesstammers's avatar
        jamesstammers
        Icon for Bronze III rankBronze III

        Yeah it is tricky - definitely harder than it looks lol. So basically I used the wildcard injection vulnerability to make root change permissions on any file I want (how I described above). The chmod.sh script is only running for files in /etc/letters. If you create a symbolic link in that folder to any file on the system, the chmod command will be performed on that file. I initially oly created a symlink to /root/root.txt, but you also need to create a symlink to /root (or any other root owned file e.g. /etc/passwd, /etc/shadow)

        https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
        That article explains the vulnerability quite well