/bin/sysinfo
The unknown SUID binary was initially enumerated and confirmed later by PEAS
theseus@ubuntu:/dev/shm$ file /bin/sysinfo
/bin/sysinfo: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=9e9d26d004da0634c0747d16d377cd2a934e565a, not stripped
theseus@ubuntu:/dev/shm$ ll /bin/sysinfo
-rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo*/bin/sysinfo is an 64-bit elf suid executable with an interesting permission bits set to root:users
theseus@ubuntu:/dev/shm$ getfacl /bin/sysinfo
getfacl: Removing leading '/' from absolute path names
# file: bin/sysinfo
# owner: root
# group: users
# flags: s--
user::rwx
group::r-x
other::---
theseus@ubuntu:/dev/shm$ getent group users
users:x:100:theseusThe users group has UID of 100 and contains only the theseus user
Since I have compromised the theseus user, I am able to access the SUID binary
theseus@ubuntu:~$ /bin/sysinfo
====================Hardware Info====================
H/W path Device Class Description
====================================================
system VMware Virtual Platform
/0 bus 440BX Desktop Reference Platform
/0/0 memory 86KiB BIOS
/0/1 processor Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
/0/1/0 memory 16KiB L1 cache
/0/1/1 memory 16KiB L1 cache
/0/2 processor Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
/0/28 memory System Memory
/0/28/0 memory 4GiB DIMM DRAM EDO
/0/28/1 memory DIMM DRAM [empty]
/0/28/2 memory DIMM DRAM [empty]
/0/28/3 memory DIMM DRAM [empty]
/0/28/4 memory DIMM DRAM [empty]
/0/28/5 memory DIMM DRAM [empty]
/0/28/6 memory DIMM DRAM [empty]
/0/28/7 memory DIMM DRAM [empty]
/0/28/8 memory DIMM DRAM [empty]
/0/28/9 memory DIMM DRAM [empty]
/0/28/a memory DIMM DRAM [empty]
/0/28/b memory DIMM DRAM [empty]
/0/28/c memory DIMM DRAM [empty]
/0/28/d memory DIMM DRAM [empty]
/0/28/e memory DIMM DRAM [empty]
/0/28/f memory DIMM DRAM [empty]
/0/28/10 memory DIMM DRAM [empty]
/0/28/11 memory DIMM DRAM [empty]
/0/28/12 memory DIMM DRAM [empty]
/0/28/13 memory DIMM DRAM [empty]
/0/28/14 memory DIMM DRAM [empty]
/0/28/15 memory DIMM DRAM [empty]
/0/28/16 memory DIMM DRAM [empty]
/0/28/17 memory DIMM DRAM [empty]
/0/28/18 memory DIMM DRAM [empty]
/0/28/19 memory DIMM DRAM [empty]
/0/28/1a memory DIMM DRAM [empty]
/0/28/1b memory DIMM DRAM [empty]
/0/28/1c memory DIMM DRAM [empty]
/0/28/1d memory DIMM DRAM [empty]
/0/28/1e memory DIMM DRAM [empty]
/0/28/1f memory DIMM DRAM [empty]
/0/28/20 memory DIMM DRAM [empty]
/0/28/21 memory DIMM DRAM [empty]
/0/28/22 memory DIMM DRAM [empty]
/0/28/23 memory DIMM DRAM [empty]
/0/28/24 memory DIMM DRAM [empty]
/0/28/25 memory DIMM DRAM [empty]
/0/28/26 memory DIMM DRAM [empty]
/0/28/27 memory DIMM DRAM [empty]
/0/28/28 memory DIMM DRAM [empty]
/0/28/29 memory DIMM DRAM [empty]
/0/28/2a memory DIMM DRAM [empty]
/0/28/2b memory DIMM DRAM [empty]
/0/28/2c memory DIMM DRAM [empty]
/0/28/2d memory DIMM DRAM [empty]
/0/28/2e memory DIMM DRAM [empty]
/0/28/2f memory DIMM DRAM [empty]
/0/28/30 memory DIMM DRAM [empty]
/0/28/31 memory DIMM DRAM [empty]
/0/28/32 memory DIMM DRAM [empty]
/0/28/33 memory DIMM DRAM [empty]
/0/28/34 memory DIMM DRAM [empty]
/0/28/35 memory DIMM DRAM [empty]
/0/28/36 memory DIMM DRAM [empty]
/0/28/37 memory DIMM DRAM [empty]
/0/28/38 memory DIMM DRAM [empty]
/0/28/39 memory DIMM DRAM [empty]
/0/28/3a memory DIMM DRAM [empty]
/0/28/3b memory DIMM DRAM [empty]
/0/28/3c memory DIMM DRAM [empty]
/0/28/3d memory DIMM DRAM [empty]
/0/28/3e memory DIMM DRAM [empty]
/0/28/3f memory DIMM DRAM [empty]
/0/3 memory
/0/3/0 memory DIMM [empty]
/0/4 memory
/0/4/0 memory DIMM [empty]
/0/5 memory
/0/5/0 memory DIMM [empty]
/0/6 memory
/0/6/0 memory DIMM [empty]
/0/7 memory
/0/7/0 memory DIMM [empty]
/0/8 memory
/0/8/0 memory DIMM [empty]
/0/9 memory
/0/9/0 memory DIMM [empty]
/0/a memory
/0/a/0 memory DIMM [empty]
/0/b memory
/0/b/0 memory DIMM [empty]
/0/c memory
/0/c/0 memory DIMM [empty]
/0/d memory
/0/d/0 memory DIMM [empty]
/0/e memory
/0/e/0 memory DIMM [empty]
/0/f memory
/0/f/0 memory DIMM [empty]
/0/10 memory
/0/10/0 memory DIMM [empty]
/0/11 memory
/0/11/0 memory DIMM [empty]
/0/12 memory
/0/12/0 memory DIMM [empty]
/0/13 memory
/0/13/0 memory DIMM [empty]
/0/14 memory
/0/14/0 memory DIMM [empty]
/0/15 memory
/0/15/0 memory DIMM [empty]
/0/16 memory
/0/16/0 memory DIMM [empty]
/0/17 memory
/0/17/0 memory DIMM [empty]
/0/18 memory
/0/18/0 memory DIMM [empty]
/0/19 memory
/0/19/0 memory DIMM [empty]
/0/1a memory
/0/1a/0 memory DIMM [empty]
/0/1b memory
/0/1b/0 memory DIMM [empty]
/0/1c memory
/0/1c/0 memory DIMM [empty]
/0/1d memory
/0/1d/0 memory DIMM [empty]
/0/1e memory
/0/1e/0 memory DIMM [empty]
/0/1f memory
/0/1f/0 memory DIMM [empty]
/0/20 memory
/0/20/0 memory DIMM [empty]
/0/21 memory
/0/21/0 memory DIMM [empty]
/0/22 memory
/0/22/0 memory DIMM [empty]
/0/23 memory
/0/23/0 memory DIMM [empty]
/0/24 memory
/0/24/0 memory DIMM [empty]
/0/25 memory
/0/25/0 memory DIMM [empty]
/0/26 memory
/0/26/0 memory DIMM [empty]
/0/27 memory
/0/27/0 memory DIMM [empty]
/0/29 memory
/0/29/0 memory DIMM [empty]
/0/2a memory
/0/2a/0 memory DIMM [empty]
/0/2b memory
/0/2b/0 memory DIMM [empty]
/0/2c memory
/0/2c/0 memory DIMM [empty]
/0/2d memory
/0/2d/0 memory DIMM [empty]
/0/2e memory
/0/2e/0 memory DIMM [empty]
/0/2f memory
/0/2f/0 memory DIMM [empty]
/0/30 memory
/0/30/0 memory DIMM [empty]
/0/31 memory
/0/31/0 memory DIMM [empty]
/0/32 memory
/0/32/0 memory DIMM [empty]
/0/33 memory
/0/33/0 memory DIMM [empty]
/0/34 memory
/0/34/0 memory DIMM [empty]
/0/35 memory
/0/35/0 memory DIMM [empty]
/0/36 memory
/0/36/0 memory DIMM [empty]
/0/37 memory
/0/37/0 memory DIMM [empty]
/0/38 memory
/0/38/0 memory DIMM [empty]
/0/39 memory
/0/39/0 memory DIMM [empty]
/0/3a memory
/0/3a/0 memory DIMM [empty]
/0/3b memory
/0/3b/0 memory DIMM [empty]
/0/3c memory
/0/3c/0 memory DIMM [empty]
/0/3d memory
/0/3d/0 memory DIMM [empty]
/0/3e memory
/0/3e/0 memory DIMM [empty]
/0/3f memory
/0/3f/0 memory DIMM [empty]
/0/40 memory
/0/40/0 memory DIMM [empty]
/0/41 memory
/0/41/0 memory DIMM [empty]
/0/42 memory
/0/42/0 memory DIMM [empty]
/0/43 memory
/0/43/0 memory DIMM [empty]
/0/44 memory
/0/45 memory
/0/100 bridge 440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1 bridge 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7 bridge 82371AB/EB/MB PIIX4 ISA
/0/100/7.1 storage 82371AB/EB/MB PIIX4 IDE
/0/100/7.3 bridge 82371AB/EB/MB PIIX4 ACPI
/0/100/7.7 generic Virtual Machine Communication Interface
/0/100/f display SVGA II Adapter
/0/100/10 scsi32 storage 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI
/0/100/10/0.1.0 /dev/sda disk 10GB Virtual disk
/0/100/10/0.1.0/1 /dev/sda1 volume 9214MiB EXT4 volume
/0/100/10/0.1.0/2 /dev/sda2 volume 1025MiB Linux swap volume
/0/100/11 bridge PCI bridge
/0/100/11/0 bus USB1.1 UHCI Controller
/0/100/11/0/1 usb2 bus UHCI Host Controller
/0/100/11/0/1/1 input VMware Virtual USB Mouse
/0/100/11/0/1/2 bus VMware Virtual USB Hub
/0/100/11/1 bus USB2 EHCI Controller
/0/100/11/1/1 usb1 bus EHCI Host Controller
/0/100/11/2 storage SATA AHCI controller
/0/100/15 bridge PCI Express Root Port
/0/100/15/0 ens160 network VMXNET3 Ethernet Controller
/0/100/15.1 bridge PCI Express Root Port
/0/100/15.2 bridge PCI Express Root Port
/0/100/15.3 bridge PCI Express Root Port
/0/100/15.4 bridge PCI Express Root Port
/0/100/15.5 bridge PCI Express Root Port
/0/100/15.6 bridge PCI Express Root Port
/0/100/15.7 bridge PCI Express Root Port
/0/100/16 bridge PCI Express Root Port
/0/100/16.1 bridge PCI Express Root Port
/0/100/16.2 bridge PCI Express Root Port
/0/100/16.3 bridge PCI Express Root Port
/0/100/16.4 bridge PCI Express Root Port
/0/100/16.5 bridge PCI Express Root Port
/0/100/16.6 bridge PCI Express Root Port
/0/100/16.7 bridge PCI Express Root Port
/0/100/17 bridge PCI Express Root Port
/0/100/17.1 bridge PCI Express Root Port
/0/100/17.2 bridge PCI Express Root Port
/0/100/17.3 bridge PCI Express Root Port
/0/100/17.4 bridge PCI Express Root Port
/0/100/17.5 bridge PCI Express Root Port
/0/100/17.6 bridge PCI Express Root Port
/0/100/17.7 bridge PCI Express Root Port
/0/100/18 bridge PCI Express Root Port
/0/100/18.1 bridge PCI Express Root Port
/0/100/18.2 bridge PCI Express Root Port
/0/100/18.3 bridge PCI Express Root Port
/0/100/18.4 bridge PCI Express Root Port
/0/100/18.5 bridge PCI Express Root Port
/0/100/18.6 bridge PCI Express Root Port
/0/100/18.7 bridge PCI Express Root Port
/1 system
====================Disk Info====================
disk /dev/loop0: 164.8 MiB, 172761088 bytes, 337424 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop1: 65.1 MiB, 68259840 bytes, 133320 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop2: 243.9 MiB, 255762432 bytes, 499536 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop3: 219 MiB, 229638144 bytes, 448512 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop4: 548 KiB, 561152 bytes, 1096 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop5: 2.5 MiB, 2621440 bytes, 5120 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop6: 160.2 MiB, 167931904 bytes, 327992 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop7: 99.4 MiB, 104202240 bytes, 203520 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disklabel type: dos
disk identifier: 0xf8b0a793
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 18872319 18870272 9G 83 Linux
/dev/sda2 18872320 20971519 2099200 1G 82 Linux swap / Solaris
disk /dev/loop8: 3.7 MiB, 3862528 bytes, 7544 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop9: 61.7 MiB, 64729088 bytes, 126424 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop10: 55.5 MiB, 58134528 bytes, 113544 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop11: 91.4 MiB, 95805440 bytes, 187120 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop12: 44.9 MiB, 47063040 bytes, 91920 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop13: 54.7 MiB, 57294848 bytes, 111904 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
disk /dev/loop14: 956 KiB, 978944 bytes, 1912 sectors
units: sectors of 1 * 512 = 512 bytes
sector size (logical/physical): 512 bytes / 512 bytes
i/o size (minimum/optimal): 512 bytes / 512 bytes
====================CPU Info====================
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
stepping : 7
microcode : 0x5003302
cpu mhz : 2294.609
cache size : 22528 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xsaves arat pku ospke md_clear flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips : 4589.21
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
stepping : 7
microcode : 0x5003302
cpu mhz : 2294.609
cache size : 22528 KB
physical id : 2
siblings : 1
core id : 0
cpu cores : 1
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xsaves arat pku ospke md_clear flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips : 4589.21
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
====================MEM Usage=====================
total used free shared buff/cache available
mem: 3.8G 574M 1.8G 10M 1.5G 3.0G
swap: 1.0G 0B 1.0GThe /bin/sysinfo binary appears to execute a series of other binaries to check the system status, including hardware information, disk information, CPU information and memory usage
Precisely, the following commands get invoked by the /bin/sysinfo binary;
lshwfor Hardware Infosudo fdisk -lfor Disk Infolscpufor CPU Infofree -hfor Memory Usage
I will try to see the details of the operation with ltrace
Debugging
theseus@ubuntu:/dev/shm$ ltrace /bin/sysinfo | grep popen
[...REDACTED...]
popen("lshw -short", "r") = 0x563c93c20e80
[...REDACTED...]
popen("fdisk -l", "r") = 0x563c93c20e80
[...REDACTED...]
popen("cat /proc/cpuinfo", "r") = 0x563c93c20e80
[...REDACTED...]
popen("free -h", "r") = 0x563c93c20e80
[...REDACTED...]
+++ exited (status 0) +++As shown above, the following commands have been invoked by the /bin/sysinfo binary;
lshw -shortfdisk -lcat /proc/cpuinfofree -h
Most important thing here is that none of those binaries were called with their absolute paths Therefore, their paths could be hijack to invoke a malicious binary instead
Moving on to the [[Magic_Privilege_Escalation#|Privilege Escalation]] phase