Skip to main content

root-tty-hijack

2023


HTB Download

Download is a hard linux box on HTB which hosts an Express application with a file read vulnerability that allowed me to retrieve it’s source code. Analyzing the code unveiled issues like broken object-level authentication and a JSON injection vulnerability. Leveraging these weaknesses, I successfully brute forced a user’s password, which was reused for SSH login. Next, I found database credentials in a URI of a background process. The database granted me pg_write_server_files privileges, enabling me to write files on the system as the user postgres. Exploiting a cron job that interactively logs in as postgres, I utilized the write privileges to execute commands in the context of postgres. Further enumeration revealed multiple root TTY sessions, providing an opportunity to hijack them and execute commands as the root user.