Linux PrivEsc
Difficulty:
Shown in Report
Rosemold is in Ostrich Saloon on the Island of Misfit Toys. Give her a hand with escalation for a tip about hidden islands.
Objective Image
Back
Challenge

What am I doing in this saloon? The better question is: what planet are you from?
Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here.
Whatever. Do you know much about privilege escalation techniques on Linux?
You're asking why? How about I'll tell you why after you help me.
And you might have to use that big brain of yours to get creative, bub.

Rose Mold gives you following hints as well:
There's various ways to escalate privileges on a Linux system.
Use the privileged binary to overwriting a file to escalate privileges could be a solution, but there's an easier method if you pass it a crafty argument.

Solution

After we have logged into the terminal, we look around for the simplest options for privilege escalation: sudo, crontab, setuid binaries, etc.
We find a binary under /bin/simplecopy that is set to setuid root (see screenshot number 1). If we run this, we can see very quickly that we can use it to copy files from a source to a destination.
Since we don't have sudo available, we ask the AI for other options:
PROMPT: How should I modify a /etc/passwd so a normal user can get root permissions? I don't have sudo installed, do I have another way?
ChatGPT: If sudo is not installed and you still need to give a user root privileges in a lab environment, there are a few alternative methods you can consider. However, keep in mind that these methods can pose significant security risks and should only be used in controlled, isolated environments.

Setting User UID to 0:

Every user in a Unix/Linux system is identified by a User ID (UID). The root user has a UID of 0. You can change a user's UID to 0 in the /etc/passwd file, which will grant them root privileges. However, this is extremely risky and not recommended because it can cause security and operational issues.
Open /etc/passwd with a text editor (you need to be root or use root privileges to do this).
Find the line with the user you want to modify, it looks something like this:

username:x:1001:1001:User Name:/home/username:/bin/bash

Change the third field (the first number after the second colon) to 0. It should look like this:

username:x:0:1001:User Name:/home/username:/bin/bash

And because we don't know the password either, we ask the AI:
PROMPT: Can you create a passwd entry for user test with password test without shadow usage?
ChatGPT: Creating a /etc/passwd entry for a user with an embedded password is not recommended due to security reasons, especially in modern Unix-like systems where passwords are typically stored in the /etc/shadow file for increased security. However, for educational purposes or in a controlled lab environment, I can show you how to do it.
First, you need to generate a password hash. Unix-like systems use different algorithms for hashing passwords, such as MD5, SHA-256, or SHA-512. Let's use the openssl command to generate an MD5 hash for this example. Remember, MD5 is not recommended for actual use due to its vulnerabilities.

Generate an MD5 Hash of the Password:

Open a terminal and run the following command:

openssl passwd -1 "test"

This will output an MD5 hash of the password "test".

Create the /etc/passwd Entry:

You will manually add a line to the /etc/passwd file with the hashed password. The format of the /etc/passwd file is:

username:password:UID:GID:GECOS:directory:shell

For example, an entry for the user "test" might look like this:

test:$1$hashedpassword:1001:1001:Test User:/home/test:/bin/bash

Replace $1$hashedpassword with the hash generated by the openssl command. The numbers 1001:1001 should be replaced with appropriate UID and GID for your system. Adjust the home directory and shell as needed.

Wow, that was very helpful. That's exactly what we do (see screenshot number 2). First we copy the /etc/passwd into our directory, then replace the line as described by the AI and copy the file back again with the simplecopy.
We can then log in with the password test and have just become root.

2023_Linux_PrivEsc.jpg

Rose Mold says afterwards
Yup, I knew you knew. You just have that vibe.
To answer your question of why from earlier... Nunya!
But, I will tell you something better, about some information I... found.
There's a hidden, uncharted area somewhere along the coast of this island, and there may be more around the other islands.
The area is supposed to have something on it that's totes worth, but I hear all the bad vibe toys chill there.
That's all I got. K byyeeeee.
Ugh... n00bs...

And the hint
Not all the areas around Geese Islands have been mapped, and may contain wonderous treasures. Go exploring, hunt for treasure, and find the pirate's booty!