Forum Discussion
Bronze IIIA Letter to Santa
Oh nevermind, I solved it :) didn't realise I needed to change permissions of the root folder, not just the file within it. Definitely learnt something new from this lab!
Bronze IIIOh nevermind, I solved it :) didn't realise I needed to change permissions of the root folder, not just the file within it. Definitely learnt something new from this lab!
LewisMuttonjamesstammers do you have any further hints for how you went about changing permissions of the root folder? For something quite simple it's proving difficult
- jamesstammers
Yeah it is tricky - definitely harder than it looks lol. So basically I used the wildcard injection vulnerability to make root change permissions on any file I want (how I described above). The chmod.sh script is only running for files in /etc/letters. If you create a symbolic link in that folder to any file on the system, the chmod command will be performed on that file. I initially oly created a symlink to /root/root.txt, but you also need to create a symlink to /root (or any other root owned file e.g. /etc/passwd, /etc/shadow)
https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
That article explains the vulnerability quite well- LewisMutton
Thanks for the reply, I'll have a look at this link later and hopefully it will click!
It sounds like l was attempting what you're describing, but I imagine like most things there is a small nuance I missed.
