Introduction
In this lab, we will learn how to find and exploit sensitive configuration files on a Linux system to escalate our privileges to root. The goal is to gain a deeper understanding of web service configuration files and user-related configuration files, and how to leverage them for privilege escalation. We will assume that we have already obtained a low-privileged shell, such as the www-data user, through a web vulnerability, and we will explore techniques to elevate our access to root.
Investigating Web Service Configuration Files
Web service configuration files may contain sensitive information, such as database credentials, which can be used for privilege escalation if the administrator has reused passwords.
First, open a terminal and navigate to
/home/labex/project.cd /home/labex/projectLet's begin by initializing the lab environment:
./env_setup_1.shAfter the initialization, we are now operating as the
www-datauser, simulating a low-privileged shell obtained through a web vulnerability.Web services on Linux are typically stored in the
/var/wwwdirectory. We should focus on the following files:database.phpuser.php*.configconfig.php
We can search for these files using the following command:
find /var/www -type f \( -iname "user.php" -o -iname "database.php" -o -iname "config.php" -o -iname "*.config" \) 2> /dev/nullExpected output:
/var/www/wordpress/wp-admin/includes/user.php /var/www/wordpress/wp-includes/user.php /var/www/wordpress/wp-content/plugins/akismet/views/config.phpAdditionally, if the target system is using a Content Management System (CMS), we can search for the default database connection file location for that specific CMS.
In this lab environment, the server is using the WordPress CMS. By searching, we find that the WordPress database configuration is stored in the
/var/www/wordpress/wp-config.phpfile:more /var/www/wordpress/wp-config.phpThis file contains the MySQL root account credentials:
/** MySQL database username */ define( 'DB_USER', 'root' ); /** MySQL database password */ define( 'DB_PASSWORD', 'cD8M2M8fMiDHu4m1' );Considering the possibility of password reuse by the administrator, we can attempt to log in as the system root user using this password:
su -Unfortunately, this password does not work for the root user.
Next, we can log in to the MySQL database and search for more information:
mysql -u root -p -h 127.0.0.1Enter the password from the
wp-config.phpfile:cD8M2M8fMiDHu4m1Inside the MySQL database, we can execute the following commands to gather more information:
Check the available databases:
show databases;Select the
ROBdatabase:use ROB;List the tables in the
ROBdatabase:show tables;Select the
rob_usertable:select * from rob_user;From the database, we obtain two more sets of credentials:
root:CMPc5MoAGf alice:psoj9apv4uExit the MySQL database:
exitWe can try logging in as the root user using the password
CMPc5MoAGf:su -Enter the password we obtained from the database:
CMPc5MoAGfThis time, we successfully gain root access!
Create a file named
proof.txtin the/rootdirectory to demonstrate successful privilege escalation:echo "Success" > /root/proof.txtVerify the file has been created:
ls /root/proof.txt
In this step, we learned how to find and exploit sensitive information in web service configuration files to escalate privileges. The core idea is to search for authentication credentials on the server and leverage potential password reuse for privilege escalation.
Investigating User-Related Configuration Files
In this step, we will focus on user-related configuration files that may contain sensitive information.
After last step, you may still at the root shell. For this step, we will switch back to the labex user by running the following command:
su - labex
First, navigate to
/home/labex/project.cd /home/labex/projectLet's begin by initializing the lab environment:
./env_setup_2.shAfter the initialization, we are now operating as the
user001user.The two main user-related configuration files to investigate are:
~/.bash_profile: Used for configuring environment variables and startup programs. This file is executed when a user logs in (login).~/.bash_history: A file in each user's home directory that records the user's shell command history, typically storing the last 1000 commands (this feature may be disabled on some Linux distributions).
Let's start by checking the
~/.bash_profilefile:cat ~/.bash_profileExpected output:
cat: /home/user001/.bash_profile: No such file or directoryIn this case, the
user001user does not seem to be using the~/.bash_profilefile.Next, let's check the
~/.bash_historyfile:cat ~/.bash_historyHere, we find a command recorded in the history:
... echo user001:09FMWNFS7n | chpasswd ...This command suggests that the
user001user's password has been changed to09FMWNFS7n.We can attempt to use this password to gain elevated privileges:
sudo whoamiAnd enter the password we found in the
~/.bash_historyfile:09FMWNFS7nThe password works, and we can execute commands with
sudoprivileges.To gain a root shell, we can use the following command:
sudo /bin/bash -pWe have successfully obtained a root shell by exploiting information from the user's command history.
Finally, Create a file named
success.txtin the/rootdirectory to complete the lab:echo "Congratulations" | sudo tee /root/success.txt
Summary
In this lab, we learned how to find and exploit sensitive information in web service configuration files and user-related configuration files to escalate privileges on a Linux system. We explored techniques for searching for files that may contain authentication credentials, such as database connection files, user command history, and other configuration files. By leveraging potential password reuse, we were able to gain root access.
The key takeaway is to always be on the lookout for sensitive information stored on the system, as it can potentially lead to privilege escalation. While this lab focused on specific types of files, it is essential to maintain a mindset of continuously searching for any files or information that could be exploited for privilege escalation purposes.