InfoSec LAB

UpDown_SUID

Created: 3 min read

SUID

A SUID binary has been identified that it could be executed under the current security context At a later stage, it was scanned and flagged by PEAS as well

www-data@updown:/var/www$ file /home/developer/dev/siteisup
/home/developer/dev/siteisup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b5bbc1de286529f5291b48db8202eefbafc92c1f, for GNU/Linux 3.2.0, not stripped
www-data@updown:/var/www$ ll /home/developer/dev/siteisup
20K -rwsr-x--- 1 developer www-data 17K Jun 22  2022 /home/developer/dev/siteisup

the /home/developer/dev/siteisup file is an 64-bit elf binary with its permissions set to developer:www-data, rendering that the www-data account is able to execute the binary as the developer user

www-data@updown:/var/www$ /home/developer/dev/siteisup
Welcome to 'siteisup.htb' application
 
enter url here:

Upon executing, the shell prompts to enter a URL This appears to be a command-line version of the web app that was exploited to gain the foothold

Checking back at PSPY, executing the SUID binary invoked a Python script; /home/developer/dev/siteisup_test.py

enter url here:http://10.10.16.8:80/test
traceback (most recent call last):
  File "/home/developer/dev/siteisup_test.py", line 3, in <module>
    url = input("enter url here:")
  File "<string>", line 1
    http://10.10.16.8:80/test
        ^
syntaxerror: invalid syntax
 
www-data@updown:/var/www$ /home/developer/dev/siteisup
Welcome to 'siteisup.htb' application
 
enter url here:"http://10.10.16.8:80/test"
Website is down

Interestingly, I had to wrap the input in double quotes to make the script work It indeed is a command-line version of the web app as it sent out a GET request to Kali web server

siteisup_test.py

www-data@updown:/var/www$ file /home/developer/dev/siteisup_test.py ; ll /home/developer/dev/siteisup_test.py
/home/developer/dev/siteisup_test.py: ASCII text
4.0K -rwxr-x--- 1 developer www-data 154 Jun 22  2022 /home/developer/dev/siteisup_test.py

It seems that the www-data account is able to read the external Python script; /home/developer/dev/siteisup_test.py

www-data@updown:/var/www$ cat /home/developer/dev/siteisup_test.py
import requests
 
url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
	print "Website is up"
else:
	print "Website is down"

It’s a really dead simple Python script

www-data@updown:/dev/shm$ strings /home/developer/dev/siteisup | grep -i python
/usr/bin/python /home/developer/dev/siteisup_test.py

This was called with the absolute path of python binary; /usr/bin/python

/usr/bin/python is python2

www-data@updown:/dev/shm$ ls -la /usr/bin/python
lrwxrwxrwx 1 root root 7 Apr 15  2020 /usr/bin/python -> python2
 
www-data@updown:/dev/shm$ /usr/bin/python --version
Python 2.7.18

It uses python2

Input function in Python 2

The input function in Python2 is essentially the same as the following; eval(raw_input(prompt)) It takes the value and type of the input as is without modifying any type, rendering it vulnerable to code injection as it would get executed by the eval function. This is why developers are heavily advised to use the raw_input function over the input function.

Moving on to Lateral Movement phase

Interactive Graph View

Backlinks