HackTheBox Academy: Privilege Escalation
So, typically I don’t write articles for stuff on HackTheBox Academy. There’s nothing wrong with doing that, I just don’t typically do it as that’s where I like to learn and take notes so that way I can apply it on the main platform and then go more in depth about what I’m doing there. However, I’m currently working through the Pentester job role to eventually take the CPTS exam and stumbled across the basic privilege escalation segment in the Getting Started module and got a little stuck and wanted to talk about it. So without further adieu let’s get into it.
What is Privilege Escalation?
So what exactly is privilege escalation? For those of you who may not be familiar, privilege escalation is a process an attacker will (more than likely) undertake in order to gain more access to the system or network they are attacking in order to do whatever it is they are trying to do.
How it looks is that typically after their successful initial intrusion, either through phishing or some public facing exploit, they have gained access to some type of account. Now typically, the account attackers have access to after an initial intrusion is what we refer to as an unprivileged account, meaning they can’t do just whatever they want on that system. Because of that, attackers will perform privilege escalation on that system in order to gain higher level accesses to administrative accounts or functions. Attackers can do this by either exploiting vulnerabilities in the operating system or installed software or by exploiting misconfigurations.
Well, How About an Example?
Well, I was getting there. So if you’re not familiar with HackTheBox, it’s a cyber CTF platform where you can practice your pentester skills on vulnerable VM’s. However, today I am showing off the Academy platform which holds your hand a little more than the main platform and aims to teach you how to do cool stuff. For this demo I will be using there platform to answer the two questions in the Privilege Escalation part of the Getting Started module. We have two objectives here.
Alright, let’s get started. Let’s open up a terminal and ssh into the remote system.
Just for your awareness, I used the -p option and then a port number as this remote system isn’t using the default port option for ssh which is 22.
So in the module’s reading it suggests using the sudo -l option to list what type of sudo shenanigance we can get up to so let’s see what we (or someone else) can do or not do with sudo.
So what we can see from this output is that user2 is able to run /bin/bash commands without asking for a password. So what we can do is use the sudo -u option to run commands as user2. How exactly do we that though because if we just try running commands as user2 we encounter this issue.
So this looks a little confusing, but all it is, is me trying to run the ls command as user2, but it (rightfully) tells me no I’m not allowed to do that. So, if I can only access /bin/bash as user2 how can we do that? Well one tool the module gives us is GTFOBin. Which is a site that can give us some privilege escalation guidance depending on what type of commands we have access to. Let’s see what it has to say.
So if you open the page and scroll down to bsh it will tell us we can do file reading if we have access to this command, let’s see what it recommends.
Okay, so it looks like we could store the file we want to read as a variable in bash which we could then call later, but if you see the bash -c option it looks like that just lets us run bash commands so let’s try doing that as user2.
Alright. Let’s find and read that user flag, typically these flags can be found in home directories so let’s go hunting in user2’s home directory.
Awesome. Now we got to the part I had a little trouble with, which was somehow gaining access as root. The module talks about pillaging ssh private keys as a way of privilege escalation and that kind of ends up being the idea here. Let’s see what we can access in root’s home directory.
Ah, let’s try it as user2.
So two things jump out at me, first of all the flag, but as we can see by the permissions only root can read it. However, it looks like user2 can access the .ssh directory where maybe there’s an RSA private key we can steal?
Here we can see that that sweet sweet id_rsa private key file is global read… So, I would cat it out and show you, but it’s a lot of what looks like random characters so I’m gonna guide you through this. What we want to do is indeed cat it out to the terminal and then you’re going to copy everthing that is outputted. We are then going to exit this ssh session, go back to our host and make a file and paste that key into our file. I am going to do all of this and then show you the key back on our “local” host.
Alright so here’s the key on our attack VM. One thing to note is to make sure this file is exactly the same as the key we copied. The main thing I’ve seen happened is when you paste it into [text editor of your choice] that it makes another line at the end of the file just cause. You’re gonna wanna back space or get rid of that extra line, it should be 38 lines long. We can verify that with wc -l, but I know mine is 38 lines long. So now, finally, let’s use this key to try to ssh as root into our victim.
Whoops, I actually made an oopsie. We are getting this error becuase our key is able to be read by others. Let’s view the permissions of this key so you can see what I mean.
Okay so here we can see that both the group and other permissions are set to read which we don’t want for our ssh private keys. Now, yes the group that can read this file is just my user group, but that’s still not okay so we’re going to use the chmod command to set the permissions so just the file owner (me) can read (and write) this file.
Now let’s try sshing again.
Alright, let’s read that flag finally.
Conclusion
So, that was some very basic privilege escalation on Linux. I definitely was a little humbled going through this, but again we’re all learning, all taking this one step at a time. The important thing is for us to keep practicing and just keep trying and we’ll all get to where we want to be eventually. I hope you have a good day and I will see you next time!
Check out my website at: https://www.karmicsecurity.com
