InfoSec LAB

Zipping_sudo_privileges_rektsu

Created: 3 min read

rektsu

Checking for sudo privileges of the rektsu user after performing basic enumeration

rektsu@zipping:/dev/shm$ sudo -l
matching defaults entries for rektsu on zipping:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
user rektsu may run the following commands on zipping:
    (all) nopasswd: /usr/bin/stock

The rektsu user is able to execute /usr/bin/stock as the root user This was picked up by PEAS earlier as well

/usr/bin/stock

rektsu@zipping:/dev/shm$ file /usr/bin/stock
/usr/bin/stock: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=aa34d8030176fe286f8011c9d4470714d188ab42, for GNU/Linux 3.2.0, not stripped

The /usr/bin/stock is a 64-bit executable binary

rektsu@zipping:/home/rektsu$ strstrings /usr/bin/stock
/lib64/ld-linux-x86-64.so.2
mgUa
fgets
stdin
puts
exit
fopen
__libc_start_main
fprintf
dlopen
__isoc99_fscanf
__cxa_finalize
strchr
fclose
__isoc99_scanf
strcmp
__errno_location
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
Hakaize
St0ckM4nager
/root/.stock.csv
Enter the password: 
Invalid password, please try again.
================== Menu ==================
1) See the stock
2) Edit the stock
3) Exit the program
Select an option: 
You do not have permissions to read the file
File could not be opened.
================== Stock Actual ==================
Colour     Black   Gold    Silver
Amount     %-7d %-7d %-7d
Quality   Excelent Average Poor
Amount    %-9d %-7d %-4d
Exclusive Yes    No
Amount    %-4d   %-4d
Warranty  Yes    No
================== Edit Stock ==================
Enter the information of the watch you wish to update:
Colour (0: black, 1: gold, 2: silver): 
Quality (0: excelent, 1: average, 2: poor): 
Exclusivity (0: yes, 1: no): 
Warranty (0: yes, 1: no): 
Amount: 
Error: The information entered is incorrect
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
The stock has been updated correctly.
;*3$"
GCC: (Debian 12.2.0-3) 12.2.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
stock.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
__errno_location@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__isoc99_fscanf@GLIBC_2.7
puts@GLIBC_2.2.5
stdin@GLIBC_2.2.5
_edata
fclose@GLIBC_2.2.5
_fini
strchr@GLIBC_2.2.5
fgets@GLIBC_2.2.5
__data_start
strcmp@GLIBC_2.2.5
dlopen@GLIBC_2.34
fprintf@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
checkAuth
_end
__bss_start
main
fopen@GLIBC_2.2.5
__isoc99_scanf@GLIBC_2.7
exit@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

Using the strings tool, to check for strings within the binary reveals a lot more information about the binary

  • appears to be an administrative program designed to review/modify stocks
  • seems to have a form of authentication
    • St0ckM4nager appears to be the hard-coded password
  • The /root/.stock.csv file seems to be vital to the operation of the binary as it appears to get modified
rektsu@zipping:/home/rektsu$ sudo -u root /usr/bin/stock 
Enter the password: St0ckM4nager
 
================== Menu ==================
 
1) See the stock
2) Edit the stock
3) Exit the program
 
Select an option:

Executing the binary initially prompts for authentication and St0ckM4nager was indeed the password 3 options are given

See the stock

select an option: 1
 
================== Stock Actual ==================
 
Colour     Black   Gold    Silver
Amount     0       217644  13     
 
Quality   Excelent Average Poor
Amount    0         217644  13  
 
Exclusive Yes    No
Amount    36     217693
 
Warranty  Yes    No
Amount    13     217645

Seeing the stock reveals the stock attributes such as Colour, Quality, Exclusive, and Warranty

Edit the stock

Select an option: 2
 
================== Edit Stock ==================
 
Enter the information of the watch you wish to update:
Colour (0: black, 1: gold, 2: silver): 0
Quality (0: excelent, 1: average, 2: poor): 0
Exclusivity (0: yes, 1: no): 0
Warranty (0: yes, 1: no): 0
Amount: 10
The stock has been updated correctly.

Whereas I seem to be modify the stocks with the option 2

I will look further into the binary by running it with strace

Interactive Graph View

Backlinks