The point of privilege escalation is to get a higher level of access. In Linux that would be to get a code execution as a root user. Here is the privilege escalation example in Linux using sudo.

We get initial access by using obtained login and password of a regular user to get remote access to the account.

I am using my Kali Linux virtual machine for it, but it is possible to ssh into the account through WIndows by using the PuTTY utility.

Let’s take a look at the groups we are at and in general look around and see what we have an access to.

Let’s run the sudo -l command to see if we can run any commands as a superuser.

So we have root user access to “more” command. GTFOBins is a great reference source of Unix binaries to use for bypassing security in misconfigured systems. Let’s see what we can find for the “more” command and reference what it states for “sudo”.

As we can see, the “more” command doesn’t drop escalated privileges.

Let’s use the “more” command using the path we saw earlier and open a file using it. It can technically be any file, but the trick is to make sure your console window is not enlarged so you can still scroll down in the file. This way you can actually type the command needed to spawn the shell inside the file. Otherwise, the content of the file will be displayed and you will be back to typing commands as a regular user.

We use the “!/bin/sh” command to be able to execute commands as a root user.

We can see the # sign indicating we have a privileged shell.

Once it is done, we can check our status with the “whoami” command.

We can check the content of the directory and take a look at the file of interest. The lab is solved.

Leave a Reply

Your email address will not be published. Required fields are marked *