Welcome back to the final blog in de series "How to hack a box"! In this blog we’ll cover the basics of Privilege Escalation and see it in practice on the Blocky box from Hack The Box.

Gathered information

Let’s first go through our information which we’ve gathered in the previous step "Enumeration". This is what we’ve written down in our previous step:

  • We have access to user notch

  • A Minecraft server is started on every reboot in a screen session under user notch, which is a Java application

  • User Notch has used sudo before, and might’ve started a MySQL CLI session as root with it

  • A MySQL server is listening on port 3306 on localhost, which is running as user mysql

  • There might be some vulnerabilities in the OS or kernel which we can use

  • We can execute any command as any user with sudo

Places to start

Common places to start

There are a few common entrypoints when trying to do a Privilege Escalation. You can for example think of the following:

  • File permissions of for example configuration files or scripts

  • Cron jobs running as root or other exploitable user

  • System misconfiguration, like too loosely configured sudo for *nix

  • Escaping restricted environments

  • Credential re-use

  • Kernel exploits

The path to root

If we look purely theoretical, we have several paths towards root:

  1. notchmysql/proftpd/ftproot

  2. notchroot

Since we know Blocky is a very easy box, the second path is the most probable because it has simply fewer hops to go through.

Our options

Looking at our gathered information, and filtering out access to MySQL, we have a few things we can try:

  1. Trying to find more information in the Minecraft server which could lead to additional credentials

  2. Going after the sudo hint and try to escalate our privileges with it

  3. Try available kernel exploits specific for Privilege Escalation

Regarding kernel exploits, for boxes like Blocky I wouldn’t try them immediately. The kernel is fairly up to date (still outdated though), and our other options are way easier to check first. If we wouldn’t get further with our first two options, we could still try to find usable kernel exploits of course.

Trying our options

Now we’re done with analyzing our results, let’s get cracking!

Finding credentials in the Minecraft server

First of all, let’s try to find credentials in the Minecraft server.

notch@Blocky:~$ grep -r password minecraft
minecraft/config/sponge/global.conf:        # Aliases for SQL connections, in the format jdbc:protocol://[username[:password]@]host/database

Using grep -r <search text> <path> we can recursively find text in all files in our given path. In the example above I just searched for password and there was one hit in a config file. After taking a look at our hit, we just see an empty object. Let’s try our other options.

Checking sudo configuration

There are a few ways of checking sudo configuration. The easiest way is using sudo -l, which we saw in the previous blog:

notch@Blocky:~$ sudo -l
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

We were asked to supply the password of notch though, but fortunately we already knew that. Looking at the results above, this basically means jackpot! The last piece is the most interesting part. It means we can execute any arbitrary command as any user in any group on the system. Let’s try this by executing the command whoami with sudo:

notch@Blocky:~$ sudo whoami
root

Neat, it works!

Another way of checking the configuration of sudo is by checking the /etc/sudoers file, or any file in /etc/sudoers.d/. However, most of the time these files will be only readable by root. If you are able to write to the /etc/sudoers.d/ directory, you will be able to grant yourself root rights.

So how can we use this to gain a root shell?

Escalating our privileges

We now know we can execute any command as root via sudo. To get a shell with colors and all, we can open a new bash session as root using sudo bash.

notch@Blocky:~$ sudo bash
root@Blocky:~# whoami
root

Now we can simply capture the root flag by reading the /root/root.txt file. To prevent the actual flag being visible I’ll use wc to show the amount of bytes and to proof I can read the file.

root@Blocky:~# wc -c /root/root.txt
32 /root/root.txt

Congratulations, you’ve now got full root rights on the box and captured the root flag!

The end

We’ve now gone through all the steps to hack a box. This was just one of the easiest boxes in Hack The Box, so there’s much more to learn. When I first tried this box, I couldn’t get very far. I was stuck because I didn’t think of credential re-use and couldn’t get the Reverse Shell via Wordpress working. After doing quite some boxes, following a lot of write-ups, and trying to learn something from every box, I was able to improve my skills.

Initially my goal was to hack as many boxes as I could, but this approach prevented me learn as much as I could’ve learned. If you think of each box being a lesson for you, you’ll learn a lot more. Try to really understand what services are running, how they work, and how they can be misused.

What now?

You now know the basic steps on how to hack a box. To continue this path, I recommend getting a paid subscription (£10 a month) on Hack The Box to get access to the "retired" boxes. You are allowed to publish write-ups for retired boxes, in contrast to the "active" boxes. This allows you to read write-ups or see them on Youtube, which is a great way of getting into the mindset of others and learn from it.

shadow-left