Linux Hackers Become Root with CURL & Sudo

Step-by-Step Tutorial: Becoming Root with CURL & Sudo

1. Introduction to the Challenge:

   • The challenge is about privilege escalation using CURL and Sudo.
   • The task involves running a program in the root user's home directory via an SSH connection.

2. SSH Connection Setup:

   • SSH into the local host using the provided credentials: username - user, password - userpass.
   • Check the contents of the directory using the ls command.

3. Identifying Privilege Escalation Opportunities:

   • Use sudo -l to list commands that can be run as the root user.
   • Note the ability to run commands as the user 'fry' without a password.

4. Setting up an HTTP Server:

   • Run a Python 3 HTTP server on Port 8000 using the command python3 -m http.server 8000.
   • Access the server on Port 8000 to ensure it is running correctly.

5. Creating a Symbolic Link:

   • Create a symbolic link named healthcheck pointing to the fry.bash_history file using ln -s /home/fry/.bash_history healthcheck.
   • Access the symbolic link on Port 8000 to view the contents of fry.bash_history.

6. Exploiting Arbitrary Read and Write:

   • Utilize CURL with the asterisk (*) wildcard to read and write files.
   • Retrieve the contents of fry.bash_history using CURL.
   • Create a new file in the temporary directory using CURL.

7. Generating SSH Keys:

   • Generate a public/private key pair using ssh-keygen.
   • Move the public key (id_rsa.pub) to the HTTP server directory.

8. Adding SSH Key to Authorized Keys:

   • Access the authorized_keys file in the ~/.ssh directory.
   • Append the contents of the public key to the authorized_keys file.

9. SSH Access as Root User:

   • SSH into the host as the 'fry' user and check if the SSH key authentication works.
   • If successful, SSH into the host as the 'root' user using the same key pair.

10. Accessing the Flag:

    • Navigate to the home directory of the 'root' user.
    • Execute the get_flag_random_suffix binary within 1 second to retrieve the flag.

11. Conclusion:

    • Reflect on the process of privilege escalation using CURL and Sudo.
    • Acknowledge the importance of securing Sudo permissions to prevent unauthorized access.

12. Acknowledgments:

    • Appreciate the resources and training provided by Black Hills Information Security and John Strand.

This step-by-step guide outlines the process of escalating privileges and gaining root access using CURL and Sudo as demonstrated in the video "Linux Hackers Become Root with CURL & Sudo" by John Hammond.