Linux Privilege Escalation via VI!
Yo! @PettyHacks back with a simple Linux Privilege Escalation technique to migrate that measly $User shell you have over to #PwnCity with a $Root shell! FYI this is Part 2 to my previous article “Magento Exploitation! — From Customer to Server User Access” so if you are planning on hacking along make sure to check it out!
Now there are TONs of great write-ups and even videos on basic Linux Privilege Escalation so I am not going to go over all of that. Instead I am going to show you how incorrectly configured Sudo permissions can be manipulated to give you root access.
To pick right back up where we left off, we currently have access to the “www-data” user shell on SwagShop’s E-Commerce server.
One of the first things you should always check when looking for priv esc openings is what sudo permissions the user has available to them. This is super simple to check by running the following:
sudo -lThis command will list out all of the available sudo permission that you have with that account. As you can see on this box we have sudo access to the text editor vi but only in a specific directory, /var/www/html/*
This means we can run vi as root on any file within that directory. This directory limitation is pretty obviously a control to keep us from being able to open /etc/shadow or any other “locked” files only available to the root account. This control makes sense, in theory, but lucky for us we don’t need specific access to any file when we can take control of the entire root user #CornyEvilLaugh. Now there are 2 ways this can be done, either open an existing file (within that specific directory) with vi:
Or just create our own (again, within that specific directory):
The contents of the file don’t actually matter here. What we are wanting is to have an active session of vi running which we can then use to leverage to a root shell, since vi will be running as root already. How does this work? Well within vi you actually have the ability to run terminal commands as a feature, not a bug. So if we have vi open, running as root, and we tell the terminal to spawn a shell, I’m sure you can guess what shell is going to be spawned? >:)
Anddddd there she is. We run:
:!/bin/bashin our active vi session and it spits out a shell just as expected. And if we check “who’s” shell it is by running whoami we see its root! Confirmed on the SwagShop box:
Sorry if this write-up was much quicker than you had anticipated, I just didn’t want to review and go over what so many other talented hackers had beaten to death. I hope this helped and maybe you learned a little something! Feel free to hit me up on Twitter or comment below with any feedback, request, or just to ask how many #FireballShots were taken during this hack.
Again thanks for reading and check back later for our next target! #SqlInjection #byeFelica
