1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Pentesting and Privilege Escalation with Wakanda

Sudo Privilege Escalation



The course is part of this learning path

Start course
1h 7m

This course will walk you through how to solve a number of tasks as part of a capture-the-flag (CTF) game called Wakanda. You will learn the necessary skills to excel in penetration testing and privilege escalation.


Hi, within this lecture, we're going to try and escalate our privileges one last time because we're going to be root eventually if we can manage it, of course. So, right now we are the DevOps, we were mamadou so we are making our way to the top. So, let me close everything over here. And try to focus over there. So, right now we are DevOps and we want to be root. So, how do we do that? Let me show you another technique that we can use other than find. So, I'm going to open my notes one more time and let me scroll down a little bit and show you something. So, as you can see there are a couple of automated tools that we're going to dive into later on. And here you go. As you can see we have this command called sudo -l. So, it's a very simple comment. And it actually gives us what we can do as a sudoer or as an administrator user and it works, just run sudo l and you will see what things that we can run, like as if we are an administrator user. We can actually run the pip over here. So, user DevOps may run the following commands on Wakanda and it's not like I set UID thingy. This is very common. So, a root or administrator can decide to give permissions to run some kind of binaries like this one to the users or to some groups, like developer groups because it's necessary on the server. Like in this case we can run pip. So, what can we do with pip? Pip is a Python package manager. If you don't know what it is, I hope you know a little bit Python, so you can understand what we are doing over here and I'm going to show you what we can do with it. I'm going to run /usr/bin/pip and exploit. And of course sudo something like that in Google. So, once you do that, you will see a lot of tools over there. So, it's a common thing apparently and there is something called FakePip. So, FakePip you can just search for that as well. So, as you can see it says that, it's an exploit sudoer with /usr/bin/pip install and that is exactly what we are trying to do over here. So, as you can see, it gives the same demonstration over here. They run sudo  l and they listed this thingy and over here, if we can go to the command itself, it's what we have actually run in the previous lecture. It's doing a reverse shell, of course, that's how we are going to get this shell and we have the pip thing going on over there. So, of course we're going to have to change the host and port one more time, at least the host itself, but we can actually use this. So, how do we use this? Over here apparently in the GitHub of this guy, we see the instructions, we can run this /usr/bin/pip install upgrade force reinstall, but we have to download the setup py file into remote target and execute this in local folder. So, first of all we're going to have to download this or just copy and paste the code into our server; into our target server. So, we are currently in the target server right as mamadou first and now with DevOps. So, first of all, we're going to have to download that setup.py file into the target. And if we actually execute that in the local folder then we're going to get back some connection and hopefully this connection will be sent as root. So, in order to copy this, you can just come over here like we have learned in the bandit. Just copy this Git over here and try to clone it. Let's try and see, yeah clear doesn't work; we don't even have like a proper shell over here and we don't even have a git command as well. So, let's see we have wget okay; we can try to run wget, wget is downloading something. So, let me try to download everything over here and see yes, if you say ls we can see FakePip over here. Let me go into the FakePip and see if we can get it. No, we cannot see the into the FakePip. So, I believe there is something wrong over here. Let's try one more time, nope, it doesn't work. If we run a less FakePip, it sees over there, but we cannot see the into that. There's something wrong if we say ls la; and here you go. I believe this thinks that FakePip isn't a folder, but it's a file, but I believe we're downloading Git in a wrong way. So, let me just run the wget over here and see what's going on and this is not what I expected to write. So, let me just copy this from here and come over there and try to wget it under Wakanda over here in our own Kali Linux to see what's wrong over there. So, let me run ls, let me see the into that. it says that it's not a directory, it's a file apparently. So, let me say file FakePip, yeah it's an HTML document so it doesn't clone or it doesn't download the Python code, but it actually downloads the HTML folder. So, I'm just going to clone this on my own Kali Linux. So, let me remove this FakePip over here. And I'm just going to git clone the think so that we can actually see the Python code at least in our own Kali Linux then maybe we can try to move that file to our remote server. So, I'm going to go into the FakePip right now. Here we go. Now, let's try to find the setup.py. Here you go. Now we want to just take everything inside of the setup.py and just move them into our server and let me change this local host over here, I'm going to say, which is my own Kali Linux IP and for port you can just keep it and over here, let's see if we have some kind of IP stuff over there, nope. LHOST and LPORT is embedded as a variable over here so we don't have to change anything else. So, for LPORT you can leave it as it is or you can choose any other port if it doesn't work for you. That make sure you don't do this 1, 2, 3, 4 because we already used that. So, I'm going to try and just send the setup.py to our server. So, you can just copy and paste this thing or you can even write it on your own in the server as well and you can try to do it in a more I don't know complex way, like try to put this into your own Apache server and just try to wget it from there. For example, let me just clear this stuff and let me try to copy the setup.py into my /var/www/html folder which is my Apache two server root folder if you know what I mean. Now, what I'm going to do, I'm going to just say service apache2 start in order to make my apache2 server run and now I have a website running down over here and inside of my website I have setup.py. Now, I will just reach that setup.py from my own Kali Linux from the target server. If I come over here I can write and /setup.py, now I can reach that file. Of course we're going to have to do this in the server, not in the local machine. And we can easily do that by running wget and say like https, we're going to have to; http not https, sorry. We're going to have to specify the whole path over here rather than just So, like this So, if you hit 'Enter' it will download it and now if I run ls la; here you go. Now we see the setup.py over here. Now if you remember the instructions it says that just download the setup.py into your target machine. And that's exactly what we did. We managed to just get the setup.py into our target machine and it was actually nice to change the IP address from Kali Linux as well so that we deal with it inside of the target server. Maybe we don't even have Nano or Vim over here; we don't know yet. So, what I'm going to do, I'm going to listen for incoming connections for the 13372 because that's our LPORT is. So, what I'm going to do next, I'm going to go back to this FakePip and just run the thing that it asks us to run. So, we're going to run the /usr/bin/pip install and we're going to install and upgrade or force reinstall the thing over here and we are running this as sudo as you can see, we are running it with sudo command and here you go. Now it has been executed. We can run this with sudo command; why? Because it's allowing us to do so. And if you come over here to your Kali Linux, you're finally root. So, this FakePip does work. Thanks for this guy. And if you run whoami, we are again root. So, if we run ls we can see we are inside of some folder. If you run locate root.txt, you can see that it's in the cd root folder. You can go for the cd root or you can just cat this out not cd root, but cat/root/root.txt and here you go, we have the final flag over here. So, we managed to solve the Wakanda. So, if you're thinking that we managed to solve it and I understood everything, but there are a lot of ways to go. So, how did you know which way to go? Of course, there are a lot of ways and we're going to cover them in the privilege escalation sections again during this course and we're going to cover a lot of gaining access information here as well. Remember that this is not the first time that I'm solving this CTF, I've solved this couple of years ago and it took me a lot more than one hour or 1.5 hour. I don't know how much time that we spent on this one. Now it took me less because I almost knew which direction to go. I didn't remember everything, but it was easy for me to guide myself through something. For example, for the crontab thing or the from cron job thing; I was listening for the incoming connection. If I wasn't listening for the incoming connection then I wouldn't have got the connection back from the server then I wouldn't have the chance to understand that it's being executed on its own. And maybe I would think that, yeah I'm getting back to connection, but as a mamadou, not DevOps folder or DevOps user, but anyhow, we got the root flag, I'm just going to make a note of that as well. Again, don't worry about the alternative stuff. We're going to learn a lot of alternatives during the course. This is why we are doing it in the first place. So, I'm going to come over here and just write root text and just paste it over there. See you in the next section.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.