PrivEsc

At this point, we have access into our target through the reverse shell.

We however have not yet achieved our objective: Pwning the box.

We therefore need to find a way to elevate our privileges.

Let's begin by looking for weak binaries in the system

find / -perm -4000 -type f 2>/dev/null

We found a couple of binaries that require elevated privileges

Let's investigate the capabilities of the files in the system

getcap -r / 2>/dev/null

The file tar has some interesting capabilities.

cap_dac_read_search=ep is a Linux capability that allows a process to bypass traditional file permission checks and perform read and search operations on any file or directory on the system, regardless of its permissions. This will definitely come in handy

I combed through the directories on the target until I came across something interesting in the /var/backups directory: A backup file for old passwords!

I tried reading the contents of the file but got a 'permission denied' error. Let's use our newly found tool to read the contents of the file. (Remember to run the command in the home directory which contains 'tar'

./tar -cf password.tar /var/backups/.old_pass.bak

A passwords.tar file is generated.

Let's extract the file

tar -xf password.tar

Extracting the file gives a directory labelled 'var'

The directory has other subdirectories within it. I combed through them till I found what looks like a password as shown below

I used the password to authenticate as root.

And with that folks we have successfully pwned the box!