Shell Spawner

This is a simple C code to spawn a shell with the SUID bit set to 0.

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ sudo gcc -m32 suid.c -o ToRoot

It can then be compiled with the -m32 flag to match that of the target system

Docker Exploit Development

Since I didn’t want to install the old glibc library on Kali as it would potentially cause a mayhem due to dependencies from many other installed tools, I decided to go for a Docker container where I can create the environment as similar and close to as that of the target system if not the same.

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ docker run -it --entrypoint "/bin/bash" --name tartarsauce ubuntu:16.04
Unable to find image 'ubuntu:16.04' locally
16.04: Pulling from library/ubuntu
58690f9b18fc: Pull complete 
b51569e7c507: Pull complete 
da8ef40b9eca: Pull complete 
fb15d46c38dc: Pull complete 
Digest: sha256:91bd29a464fdabfcf44e29e1f2a5f213c6dfa750b6290e40dd6998ac79da3c41
Status: Downloaded newer image for ubuntu:16.04

First, create a docker container with ubuntu 16.04, which is the same version as the target machine -i to keep STDIN open (interactive session) -t to allocate pseudo-tty --entrypoint "/bin/bash" to declare the default entry shell The container is named, tartarsauce

root@e7a83ab0f95b:/# 
root@e7a83ab0f95b:/# apt update -y ; apt install net-tools netcat gcc gcc-multilib nano -y
[...]
Setting up libmpc3:amd64 (1.0.3-1) ...
Setting up net-tools (1.60-26ubuntu1) ...
Setting up manpages (4.04-2) ...
Setting up binutils (2.26.1-1ubuntu1~16.04.8) ...
Setting up gcc (4:5.3.1-1ubuntu1) ...
Setting up libc6-i386 (2.23-0ubuntu11.3) ...
Setting up libc-dev-bin (2.23-0ubuntu11.3) ...
Setting up libc6-x32 (2.23-0ubuntu11.3) ...
Setting up gcc-multilib (4:5.3.1-1ubuntu1) ...
update-alternatives: using /bin/nc.traditional to provide /bin/nc (nc) in auto mode
Setting up netcat (1.10-41) ...

Second, configure the environment by installing the compiler, library and text editor as well as some networking tools to transfer the file later

root@e7a83ab0f95b:/tmp# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Double-check the glibc version It matches that of the target machine

root@e7a83ab0f95b:/tmp# nano suid.c

Writing the same shell spawning program in C

root@e7a83ab0f95b:/tmp# gcc -m32 suid.c -o ToRoot
suid.c: In function 'main':
suid.c:9:9: warning: null argument where non-null required (argument 2) [-Wnonnull]
         execve("/bin/sh", NULL, NULL);
         ^
root@e7a83ab0f95b:/tmp# ls
ToRoot  suid.c

Compile it the same way. It throws an error, but I can ignore it in this case

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ ip a s | grep -i docker0 | grep -i inet
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0

kali machine’s docker interface is docker0, and its IP address is 172.17.0.1

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ nnc 1234 > ToRoot
listening on [any] 1234 ...

Start the Netcat listener on Kali

root@e7a83ab0f95b:/tmp# nc 172.17.0.1 1234 < ToRoot

Send the binary from the docker environment to Kali

The Netcat listener from Kali receives the binary

InfoSec LAB

Explorer

TartarSauce_Docker

Shell Spawner

Docker Exploit Development

Interactive Graph View

Table of Contents

Backlinks