Well I dug in and Tried Harder… and I got root on the machine I was working on. It was definitely something new for me which is awesome. I kinda wonder if this priv esc has been presented to me before in the PWK labs or on the OSCP exams and I’ve missed it. It was really simple once I realized what I had to do, but that was the hard part. I also didn’t fully root, as I didn’t spawn a root shell, but what I did allowed me root command access so I’m okay with that. Playing with it for a bit longer I probably could have gotten the shell, but I had already spent a lot of time on this machine.
I won’t name the machine here so that I’m not breaking HTB policy if I give too much information away. I was introduced to a new tool, pspy. This tool shows all processes running on the box in real time, even root processes. I was able to see that there was some automated script running every time a user logged into the machine through ssh. Pspy also gave me the script that was being run, so I was able to see that I could highjack a process that was being called and have it run by my specified commands. This was possible due to a world writable directory being put into the PATH.
All in all I feel this was something that I should have definitely has some experience with already, but I’m glad that I finally got it figured out. I also finished another challenge that I had been working on that introduced me to the padbuster tool. That definitely took some research in learning how the tool worked, but it will definitely be a good tool to have in the arsenal now. Overall, I feel very accomplished after finishing these challenges and I’m already looking at the next ones to tackle.
VulnHub Rooted: 3
HTB Rooted: 2
HTB Challenges: 6