Amaterasu - OffSec Proving Grounds
Objective
Employ enumeration and web enumeration methods to uncover system weaknesses. Apply privilege escalation techniques and capitalize on abusing crontabs for elevated access. This lab enhances your ability to identify and exploit misconfigurations effectively.
Enumeration
Nmap
During the initial Nmap scan, I discovered that the FTP port was open and allowed anonymous login, but attempts to interact with the service resulted in timeouts. The scan also revealed three unusual open ports, including one running SSH and two hosting HTTP-based services.
WEB Enumeration
One of the HTTP services hosted a help page that revealed a command endpoint designed to be used in a REST API style, providing insight into how the backend could be interacted with programmatically.
One of the commands exposed via the help page allowed directory listing, which led to the discovery of a user named alfredo.
Another command allowed file uploads, which by default placed files in the /tmp directory. However, I discovered a path traversal vulnerability that enabled uploading files to any location where we had write permissions.
Exploitation
Using this knowledge, I generated an id_rsa and id_rsa.pub key pair. Since the upload functionality did not allow files with a .pub extension, I renamed id_rsa.pub to id_rsa.txt. Then, leveraging the path traversal vulnerability, I uploaded the file to /home/alfredo/.ssh/authorized_keys.
As you may know, the authorized_keys file contains a list of public keys authorized to access the SSH service for that user. By adding my public key to this file, I was able to authenticate and gain SSH access as the user alfredo.
After successfully adding my key, I was able to SSH into the system as the alfredo user and retrieve the user flag.
Privilege Escalation
Once inside the SSH shell as alfredo, I checked the /etc/crontab and noticed that a backup script was being executed every minute by the root user.
The script executed by the root user’s cron job was quite simple. It first exported a custom PATH environment variable, placing /home/alfredo/restapi at the beginning. Then, it used standard commands like cd and tar to create a backup archive.
Since the script relied on tar and cd without specifying their full paths, and prioritized /home/alfredo/restapi in the PATH, I was able to abuse this by placing a malicious script named tar (or cd) in that directory. My custom tar script executed chmod +s /bin/bash, effectively giving the system’s bash binary the SUID bit and allowing root shell access.
After placing the malicious tar script in /home/alfredo/restapi, I waited for one minute for the cron job to execute. Once the script ran and set the SUID bit on /bin/bash, I simply ran /bin/bash -p to spawn a root shell. From there, I was able to read the root flag.