InfoSec LAB

ScriptKiddie_scanlosers

Created: 3 min read

scanlosers.sh

kid@scriptkiddie:/home/pwn$ ll
total 44
drwxr-xr-x 6 pwn  pwn  4096 Feb  3  2021 ./
drwxr-xr-x 4 root root 4096 Feb  3  2021 ../
lrwxrwxrwx 1 root root    9 Feb  3  2021 .bash_history -> /dev/null
-rw-r--r-- 1 pwn  pwn   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 pwn  pwn  3771 Feb 25  2020 .bashrc
drwx------ 2 pwn  pwn  4096 Jan 28  2021 .cache/
drwxrwxr-x 3 pwn  pwn  4096 Jan 28  2021 .local/
-rw-r--r-- 1 pwn  pwn   807 Feb 25  2020 .profile
-rw-rw-r-- 1 pwn  pwn    74 Jan 28  2021 .selected_editor
drwx------ 2 pwn  pwn  4096 Feb 10  2021 .ssh/
drwxrw---- 2 pwn  pwn  4096 mar 31 10:00 recon/
-rwxrwxr-- 1 pwn  pwn   250 Jan 28  2021 scanlosers.sh*

While I was checking out the other user in the system, I found an interesting bash script located in the home directory.

kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
#!/bin/bash
 
log=/home/kid/logs/hackers
 
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
    sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
 
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi

the bash script above does the following:

  1. Sets the path for the log file /home/kid/logs/hackers to the variable log.
  2. Changes the current working directory to /home/pwn/.
  3. Uses cat to read the contents of the log file specified in the log variable and cut to extract the third field and everything after it (-f3-), then sort the ip variable and remove duplicates using the -u flag.
  4. For each ip variable, the script runs the nmap command with the --top-ports 10 option to scan the top 10 most commonly used ports and saves the results to a file in the recon/ directory with the ip variable as the filename. This is done in the background with the & symbol at the end of the command.
  5. If the log file has more than 0 lines, the script uses echo to write a blank line to the log file, effectively emptying it.

/home/kid/logs/hackers

kid@scriptkiddie:/home/pwn$ cat /home/kid/logs/hackers
kid@scriptkiddie:/home/pwn$ ll /home/kid/logs/
total 8
drwxrwxrwx  2 kid kid 4096 Mar 31 09:45 ./
drwxr-xr-x 11 kid kid 4096 Feb  3  2021 ../
-rw-rw-r--  1 kid pwn    0 Mar 31 09:49 hackers

Interestingly, the /home/kid/logs/hackers file is empty, but I can write to it as the current user (kid) owns both the file and parent directory

kid@scriptkiddie:/home/pwn$ echo 'testing 123 456' > /home/kid/logs/hackers

Upon writing arbitrary data to the file, there are some executions made in the background

PSPY captured the executions made in the background with the uid of 1001, which is the pwn user

As it’s written in the scanlosers.sh file above, 456 is picked up as the ip variable and passed on to the Nmap command. This is clearly a vulnerability as I can control over what gets passed onto the Nmap command, which gets executed with the privileges of the pwn user I may be able to inject OS commands into it to make a lateral movement

Interactive Graph View

Backlinks