Linux privilege escalation module

HTB Content Academy
,
1

Hello
I am currently in the Linux privilege escalation module section Miscellaneous Techniques. I cant seem to access a root shell. The /etc/exports also don’t seem to be there in the pwnbox
also when I ran the ./shell file as sudo i got access into the machine as root

image
image823×372 86.8 KB

I don’t know if I am doing something wrong
here is the file shell and it was created as htb-ac521253 user.

2

cant upload more than one photo this is the file shell permissions

image
image858×140 94.1 KB

3

hi, have you find the flag? you should see the contents of /etc/exports of the target machine.
you will see an interesting directory

2 Likes
7

Hi I finally found the answer after several attempts. Shell.c has to be compiled (gcc) with sudo in the attacker machine (10.10.x.x). Then the owner of the file “shell” will be root. Flag can be found with the hint of j0rg3k.

8

as usual i’m coming here after finding the flag to warn people that most of the modules’ questions are massive bs and the modules usually have details wrong.

in this case the module shows you to compile the shell on the target machine but move it from the attacker’s machine lol. also possibly you don’t have the rights to run ldd on the target machine. so you have to compile on your own machine, but also most probably you don’t have the same glibc (coz the target is old), so you’ll have to compile your shell with the --static option.

so yeah, wrong, not up to date, makes it harder for n00bs. you really need to understand what’s going on and do a lot of research, rather than following the modules themselves.

3 Likes
9

Hello, I have been going through this module and can’t seem to find the flag. Do you think you could give me a hand?

10

sure. most probably i forgot most of the stuff but shoot. may still be able to help.

11

So when you say you have to be in the attack machine should I ‘gcc shell.sh -o shell’ in the root of that machine?

[/mnt]
└──╼ [★]$ gcc shell.sh -o shell
/usr/bin/ld:shell.sh: file format not recognized; treating as linker script
/usr/bin/ld:shell.sh:4: syntax error
collect2: error: ld returned 1 exit status

12

shell.sh? shouldn’t be a shell script, should be a .c file no?

13

yeah ok i had a quick look at the Section again. so this is for the Miscellaneous Technique. you have to write a .c file that you compile to a binary with gcc. iirc you can’t do this on the target because you don’t have rights to run ld. so you need to do it on your own machine, then transfer the binary. but most probably when you’re gonna run your compiled binary on the target machine, you’ll get a glibc error message, coz your machine and the target machine don’t use the same version of gcc or whatever shared libraries blah blah blah. so you have to include the libraries in your binary by compiling with the --static option. move the binary on the target, run it, then it’ll work.

14

Alright thanks. Previously I was able to gcc and chmod but ‘./shell’ did not do anything. I guess that must be the problem. I shall find out in a bit.

15

maybe some issue with your C code? run it on your own local machine first and see if it works. then only when it does try to transfer it to the target.

16

Also stuck on this for quite some time. Was able to compile the shell on my machine and execute to get root, but its not wanting to execute on the victim host. Every time I try ./shell nothing happens. This lesson is absolutely horrible and I’m embarrassed I’ve come this far just to be held up by this.

17

did you get it ? my shell script do nothing

18

For those who are stuck in this module, follow below.

  1. Create the SetUID binary (Either as remote target user or local kali user)
  2. Compile the binary (local kali user to add --static flag as mentioned by “godbout”) using gcc
  3. If compiled remotely, use kali to mount the NFS directory (tmp) and copy the compiled binary and reupload to local mounted drive (mnt) using Sudo (Since we have to copy the file as root). If compiled locally, just have to copy the binary as root (sudo) to local mounted directory (/mnt).
  4. Set SUID for the reuploaded binary in /mnt (Local drive) as root (Use sudo)
  5. Execute the binary in /tmp as remote user.
2 Likes
19

Just to comment here if anyone else runs into the same frustrations of this module as I did:
For this specific module, you don’t actually need to use the mount command as the hint suggests or run the shell C code as shown above in the module.
The question is only asking to check the NFS server lists and see if there are any interesting directories (nudge nudge wink wink) as @j0rg3k said
To find the flag, I ran the “cat /etc/exports” command. Found a list of directories worth looking into and found a file in one of them that contained the flag.
It is NOT your traditional HTB{} flag if you resorted to searching files and folders for such a pattern.

While the question is rather simple and easy to over-complicate for the task, this entire course has been subpar for the questions, hints and applying the information from each module especially as a novice to these topics.

20 
cd /var/nfs/general
ls
cat exports_flag.txt

Is this really a privilege escalation module?

3 Likes
21

Even though you do not have to go through the steps to get root to get the flag, I figured it would be good practice…

If you are running your ./shell cmd from the /tmp folder and nothing is happening:

  • Remove your compiled shell file
  • Rerun all commands as root (gcc w/ --static & chmod +s)

Once I ran the commands as root on the attack machine I achieved root access on the victim by rerunning ./shell.

22

Thank you for the breakdown. Now that I’ve done it, the process makes a little more sense.