My favorite part of a hack in a CTF is probably always going to be privilege escalation, see a hack is like a bank job or robbery, you are faced with multiple layers of defense and your job as the attacker is to get inside, find the loot and get out.
The web application part is like the electric fence surrounding the building that is being patrolled, it is tedious and annoying (imo), but when you get a foothold (inside the building or network in this analogy) then the real fun begins. You have to wade the information available to you so you can get the key to the vault or safe (root) and then find the loot. So with that being said, I want to cover some handy methods for how you achieve root using privilege escalation.
SUID Binary Exploitation
SUID exploits are a bread and butter method for privilege escalation in CTFs and there are many of them out there that are related to common binaries you will come across in a Linux distro.
The first command to run to find out what SUID binaries exist on the system is:
find / -perm -u=s -type f 2>/dev/null
This will list all the SUID binaries which you can cross-check on GTFObins, for example using base32 to read files that you wouldn't normally have access to by encoding the file and echoing the decoded output, for example identification keys for a Sudo user SSH login. SUID Binaries have multiple exploits and each of them are highly useful when you come across them.
PermitRootLogin: NO !!!!
In reality, if you value the security of your network you will never allow root login, you will follow the rule of Least Privilege and have Sudo users with restricted permission on the system that can do maintenance. If you do however come across a sshd_config file that happens to have #PermitRootLogin: Yes / prohibit-password inside it, then congratulations you may not have to do much other than find a way to exfiltrate the identification key for the root user.
Most boxes that allow this have some kind of method which will allow you to read the id_rsa file within ~/.ssh folder in a user's home directory. When you have a copy of the contents, pass it through SSH2John, JohnTheRipper, and give it 600 permissions and you’re set to log in and grab the flag.
Docker Escapes / Jailbreaks
So it seems every time I do a CTF I come closer to the conclusion that Docker was not meant to be used for security purposes, in the past few days 2 boxes I’ve come across have you sat in a Docker container to make you think nothing about the environment you’re now in after you got the user flag so easily. Well, I’ve also come across a couple of neat ways to identify if you’re in a container or not which should help you work out which kind of escape plan you need.
First, if you go to the root directory of the box and list all files “cd / && ls -lah” and you see a folder named “.dockerevn” you’re most likely in a container, other IODs, indicators of docker (yes.. I know its bad.. I’ll stop), are things like the process list being unusually small and /proc/ containing control groups that belong to a container name.
Hopefully, when you know that you’re likely inside of a docker container you can start to find methods relating to escaping it and then move on to grabbing the root flag a lot faster.
Well, I hope these couple tips help you out with your CTFs and allow you to start gaining some ranks on your favorite CTF platforms. The main thing I should say though is “Enumerate, Enumerate, Enumerate, and when you think you’ve found all the information you need, Enumerate again”, seriously information is key to completing CTF, and should you still need help with that I’ll give you some extra resources below. Take care guys.
Privilege Escalation Resources:
- Linux Smart Enumeration Script by diego-treitos
- Awesome Privilege Escalation by m0nad
- Living off the Land Project by LOLBAS-Project
- GTFOBins by @ConsciousHacker
