What am I doing in this saloon? The better question is: what planet are you from?
Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here.
Whatever. Do you know much about privilege escalation techniques on Linux?
You're asking why? How about I'll tell you why after you help me.
And you might have to use that big brain of yours to get creative, bub.
Rose Mold gives you following hints as well:
There's various ways to escalate privileges on a Linux system.
Use the privileged binary to overwriting a file to escalate privileges could be a solution, but there's an easier method if you pass it a crafty argument.
After we have logged into the terminal, we look around for the simplest options for privilege escalation: sudo, crontab, setuid binaries, etc.
We find a binary under /bin/simplecopy
that is set to setuid root (see screenshot number 1). If we run this, we can see very quickly that we can use it to copy files from a source to a destination.
Since we don't have sudo
available, we ask the AI for other options:
PROMPT: How should I modify a /etc/passwd
so a normal user can get root permissions? I don't have sudo installed, do I have another way?
ChatGPT:
If sudo is not installed and you still need to give a user root privileges in a lab environment, there are a few alternative methods you can consider. However, keep in mind that these methods can pose significant security risks and should only be used in controlled, isolated environments.
Every user in a Unix/Linux system is identified by a User ID (UID). The root user has a UID of 0. You can change a user's UID to 0 in the /etc/passwd
file, which will grant them root privileges. However, this is extremely risky and not recommended because it can cause security and operational issues.
Open /etc/passwd
with a text editor (you need to be root or use root privileges to do this).
Find the line with the user you want to modify, it looks something like this:
username:x:1001:1001:User Name:/home/username:/bin/bash
Change the third field (the first number after the second colon) to 0. It should look like this:
username:x:0:1001:User Name:/home/username:/bin/bash
And because we don't know the password either, we ask the AI:
PROMPT: Can you create a passwd entry for user test with password test without shadow usage?
ChatGPT:
Creating a /etc/passwd
entry for a user with an embedded password is not recommended due to security reasons, especially in modern Unix-like systems where passwords are typically stored in the /etc/shadow
file for increased security. However, for educational purposes or in a controlled lab environment, I can show you how to do it.
First, you need to generate a password hash. Unix-like systems use different algorithms for hashing passwords, such as MD5, SHA-256, or SHA-512. Let's use the openssl
command to generate an MD5 hash for this example. Remember, MD5 is not recommended for actual use due to its vulnerabilities.
Open a terminal and run the following command:
openssl passwd -1 "test"
This will output an MD5 hash of the password "test".
You will manually add a line to the /etc/passwd
file with the hashed password. The format of the /etc/passwd
file is:
username:password:UID:GID:GECOS:directory:shell
For example, an entry for the user "test" might look like this:
test:$1$hashedpassword:1001:1001:Test User:/home/test:/bin/bash
Replace $1$hashedpassword
with the hash generated by the openssl command. The numbers 1001:1001 should be replaced with appropriate UID and GID for your system. Adjust the home directory and shell as needed.
Wow, that was very helpful. That's exactly what we do (see screenshot number 2). First we copy the /etc/passwd
into our directory, then replace the line as described by the AI and copy the file back again with the simplecopy
.
We can then log in with the password test and have just become root.
Rose Mold says afterwards
Yup, I knew you knew. You just have that vibe.
To answer your question of why from earlier... Nunya!
But, I will tell you something better, about some information I... found.
There's a hidden, uncharted area somewhere along the coast of this island, and there may be more around the other islands.
The area is supposed to have something on it that's totes worth, but I hear all the bad vibe toys chill there.
That's all I got. K byyeeeee.
Ugh... n00bs...
And the hint
Not all the areas around Geese Islands have been mapped, and may contain wonderous treasures. Go exploring, hunt for treasure, and find the pirate's booty!