You have access to the vim text editor via sudo, but shell escapes are blocked. How do you escalate privileges to get an unfettered root shell without sudo?
#Linux #DFIR #CommandLine #Trivia
Hal Pomeranz reshared this.
β§
You have access to the vim text editor via sudo, but shell escapes are blocked. How do you escalate privileges to get an unfettered root shell without sudo?
#Linux #DFIR #CommandLine #Trivia
Hal Pomeranz reshared this.
Ann K.
in reply to Hal Pomeranz • • •silverwizard likes this.
Hal Pomeranz
in reply to Ann K. • • •Marius (windsheep) π‘β π¦β β β
in reply to Hal Pomeranz • • •Hal Pomeranz
in reply to Marius (windsheep) π‘β π¦β β β • • •Marius (windsheep) π‘β π¦β β β
in reply to Hal Pomeranz • • •Ann K.
in reply to Hal Pomeranz • • •Jejo
in reply to Ann K. • • •I have a similar issue in an old pc. Can't find the password for sudo.
Can't update Linux, can't even reinstall it since I can't not from the USB pretty crazy
#linuxhelp
@hal_pomeranz
Hal Pomeranz
in reply to Jejo • • •How to Boot into Root Shell without Password
Bobbin Zachariah (Linoxide)Blake Regan
in reply to Hal Pomeranz • • •@away2thestars @mastodon.gamedev.place @piquant00
Not quite the same, but similar - at a former role working in an IA lab, while rotating root password on Solaris 10, we fat fingered the new phrase twice and got locked out of root.
I was able to use the low level OS on the Sun box to find the proper sector where the OS partition was and then mount it to boot into single user mode.
From there we edited the shadow file and cleared out the root password hash, saved, then shutdown single user mode and booted back into the proper OS, then sudo'd to root with no password, then changed the password using passwd.
That was a lot of fun.
Hal Pomeranz
in reply to Blake Regan • • •Jejo
in reply to Hal Pomeranz • • •Hal Pomeranz
in reply to Jejo • • •Jejo
in reply to Hal Pomeranz • • •@piquant00
Hal Pomeranz
in reply to Jejo • • •Jejo
in reply to Hal Pomeranz • • •Hal Pomeranz
in reply to Jejo • • •Todd C. Miller
in reply to Hal Pomeranz • • •Steve Gibson :cupofcoffee:
in reply to Hal Pomeranz • • •silverwizard likes this.
Todd C. Miller
in reply to Hal Pomeranz • • •D C Ross
in reply to Hal Pomeranz • • •(Evil is added here: Remove or replace the root password)
:w!
:q
su
(Fun shall now commence)
JDN6 β
in reply to Hal Pomeranz • • •@mttaggart
su -c βcommand stringβ -l
rkvl
in reply to Hal Pomeranz • • •modify the dynamic linker/loader to preload a lib you planted.
man7.org/linux/man-pages/man8/β¦
ld.so(8) - Linux manual page
man7.orgJames Blanding
in reply to Hal Pomeranz • • •furicle
in reply to Hal Pomeranz • • •Edit /etc/shadow?
Scott Leggett
in reply to Hal Pomeranz • • •> shell escapes are blocked
what does this mean?
silverwizard
in reply to Scott Leggett • •Hal Pomeranz
in reply to Hal Pomeranz • • •Yesterday's Linux DFIR command line trivia asked what you can do to escalate privilege if you have sudo access to the vim text editor. The constraints are that shell escapes are disabled (see the "noexec" option to sudo) and your final privilege escalation path must not use sudo (because logging, y'all). Several people checked in with good ideas!
@steve and @millert (who knows a little something about sudo-- look it up) jumped in with a classic. Simply edit /etc/passwd and make your regular account UID 0 (or make yourself a new UID 0 account you can su into). Any account with UID 0 has root privs. You will need to log out and log back in again after making this change.
@millert and @timb_machine suggested setting up a root cron job to execute whatever commands you want-- just drop a new script into /etc/cron.hourly. For example, you could run commands as root to give you a set-UID copy of the shell:
cp /bin/bash /tmp/evil-bash
chown root:root /tmp/evil-bash
chmod 4555 /tmp/evil-bash
@rkervell went for editing a file like /etc/ld.so.conf and setting up an LD_PRELOAD style rootkit. Google "Linux LD_PRELOAD rootkit" for more background and some working examples.
@timb_machine checked in with a bunch of good ideas. For example, adding your own SSH public key to /root/.ssh/authorized_keys. You might also need to modify the "PermitRootLogin" setting in /etc/ssh/sshd_config, but once you have your key in authorized_keys you should be able to HUP the SSH server remotely to pick up the config change.
He also suggested making changes to other start-up files for the root user. For example, /root/.bashrc which will execute on every root shell execution (like the commands suggested for the evil cron job above). You might have to wait a bit for this to trigger though.
Tim also suggested using vim to overwrite an existing set-UID binary. For example, once you run "sudo vim" you could:
:r /bin/bash
:w! /usr/bin/chfn
:q
Then you should be able to execute "/usr/bin/chfn -p" and get your root shell.
That's a bunch of good ideas so far. One other idea I can think of is to modify the system PAM configuration. I'd have to fully research this idea, but you should be able to modify /etc/pam.d/su to remove the authentication requirement.
So the takeaway here is never give anybody root access to a text editor. Even if they don't directly shell escape, there's a lot of evil they can do!
#Linux #DFIR #CommandLine #Trivia
Hal Pomeranz reshared this.
James Blanding
in reply to Hal Pomeranz • • •Hal Pomeranz
in reply to James Blanding • • •