Aug. 30, 2024
Root Du Jour
Brief Overview
Escalating privileges on Amazon SageMaker notebook instances.
Escalating privileges on Amazon SageMaker notebook instances.
Many IoT devices today use a serial communication interface known as the Univeral Asynchronous Receiver Transmitter (UART). The purpose of this interface is to give direct access to the IoT operating system via a command line interface (CLI) for debugging. In many cases, the underlying operating system is just a Unix system, which means backdooring these systems should be (hopefully) very simple.
Tmux is a teriminal multiplexer for Linux systems. It allows you to have multiple terminal sessions and panes all in one terminal window. This improves productivity and speed when multitasking on the command line. Tmux is very powerful, but its keybindings aren’t very intuitive. In this post I’ll be going through the steps I made to adjust my tmux configuration to something more usable.
Spectra was an overall easy machine. Initial access was obtained through a leftover admin password which led to RCE on the wordpress installation. Escalation to user was achieved through a plaintext password. And root access was acquired by having write access to init scripts and sudo access to initctl without a password.
Knife was an extremely short machine. Initial access was from a backdoored PHP version running on the web server. Privesc was just a script that we were allowed to run with sudo without a password. We just had to look at the help menu a little bit to get a root shell.
Laboratory was a short and sweet machine. Initial access was obtained using a metasploit module, and privesc to user was simple. Root privesc made use of a path variable vulnerability. I enjoyed this box overall.
Armageddon was a very fun and straightforward machine. The initial access to the machine was very simple, and we needed to do some crafty shell techniques to get access to the user’s credentials. The path to root was the most interesting because it required some modifications to an existing exploit.