Forum Discussion
Bronze IIIA Letter to Santa
Hello everyone,
Wrong time of year, I know..
I've been having a go at the Christmas challenge collection and stuck on "A letter to Santa". I've managed to get code execution as user but struggling with the priv esc.
I've found the cron job which runs chmod 600 * as root in /etc/letters. Is it possible to use chmod to priv esc?
I've tried creating a file called '--reference=file' and created another file called 'file' with 7777 privileges - resulting in anything in directory having suid bit set. Tried copying bash and creating a symlink, but with no luck.
Am I going down a massive rabbit hole with this? Or missing some obvious plain text creds somewhere 😂
Oh nevermind, I solved it :) didn't realise I needed to change permissions of the root folder, not just the file within it. Definitely learnt something new from this lab!
4 Replies
jamesstammersOh nevermind, I solved it :) didn't realise I needed to change permissions of the root folder, not just the file within it. Definitely learnt something new from this lab!
LewisMuttonBronze II
jamesstammers​ do you have any further hints for how you went about changing permissions of the root folder? For something quite simple it's proving difficult
- jamesstammers
Yeah it is tricky - definitely harder than it looks lol. So basically I used the wildcard injection vulnerability to make root change permissions on any file I want (how I described above). The chmod.sh script is only running for files in /etc/letters. If you create a symbolic link in that folder to any file on the system, the chmod command will be performed on that file. I initially oly created a symlink to /root/root.txt, but you also need to create a symlink to /root (or any other root owned file e.g. /etc/passwd, /etc/shadow)
https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
That article explains the vulnerability quite well
