CTFtime.org / TAMUctf 19 / 4_privilege_escalation

# 4_privilege_escalation

We know that the attacker was able to escalate privileges to a higher user account. This level asks us to find out how they escalated privileges, and to what account did they escalate privileges to, as well as the password for this account.

It's actually easier to work a bit backwards here. Instead of finding out how they escalated privileges, let's first find out to what account they escalated privileges. To do this, we can consult the logs we were given previously. We're going to read the file, and grep it for the attacker's IP address, which we know from the previous levels. Then, we'll be able to find out which accounts they logged into.

```
$ grep 10.187.195.95 auth.log
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/4_privilege_escalation-1.png)

We find that they logged into the `devtest` account first, and then into the higher privileged `root` account. Let's again run grep on the auth.log account to find out what the `root` password is. We know that usernames and passwords on *NIX systems are stored in a user:pass format, so some simple regex is all we need to find it.

```
$ grep root:.* auth.log
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/4_privilege_escalation-2.png)

The credentials are `root:0A0YlBjrlBXSr14MPz`.

Now, let's find out how the attacker escalated their privileges to the root account, and get the md5sum of the file they used. We were given a disk image of the server in this level. Let's go ahead and mount it.

I need to first create a mount point in `/mnt`.

```
$ sudo mkdir /mnt/4_privilege_escalation
```

Then, I need to mount the filesystem.

```
$ sudo mount -o loop filesystem.image /mnt/4_privilege_escalation
```

Now, I can access the filesystem.

```
$ cd /mnt/4_privilege_escalation
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/4_privilege_escalation-3.png)

Let's go ahead and browse the home directories to see if there's anything interesting.

```
$ ls *
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/4_privilege_escalation-4.png)

Huh. That's an interesting file in ubuntu/setup.sh. Let's check it out.

```
$ cat setup.sh
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/4_privilege_escalation-5.png)

Here, we find the single line of code that was responsible for that log we found earlier in `auth.log`. We can assume that the attacker used this file to log into the `root` account. Now, to complete the challenge, we just need to submit the md5sum of this file.

```
$ md5sum setup.sh
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/4_privilege_escalation-6.png)

Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/DriveByInc/4_privilege_escalation.md).

4_privilege_escalation - DriveByInc

Comments

4_privilege_escalation - DriveByInc

Comments

Sign in with