barney

Checking for sudo privileges of the barney user after gaining the initial foothold

barney@b3dr0ck:~$ sudo -l
Matching Defaults entries for barney on b3dr0ck:
    insults, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User barney may run the following commands on b3dr0ck:
    (ALL : ALL) /usr/bin/certutil

The barney user is able to execute /usr/bin/cerutil as anyone

/usr/bin/certutil

barney@b3dr0ck:~$ cat /usr/bin/certutil
#!/usr/bin/env node
 
 
require('../dist/certs');
 
barney@b3dr0ck:~$ find / -name certs.js 2>/dev/null
/usr/share/abc/dist/certs.js

It requires dist/certs

barney@b3dr0ck:~$ sudo -u root /usr/bin/certutil
 
Cert Tool Usage:
----------------
 
Show current certs:
  certutil ls
 
Generate new keypair:
  certutil [username] [fullname]

Executing it shows the usage

barney@b3dr0ck:~$ sudo -u root /usr/bin/certutil fred fred
Generating credentials for user: fred (fred)
Generated: clientKey for fred: /usr/share/abc/certs/fred.clientKey.pem
Generated: certificate for fred: /usr/share/abc/certs/fred.certificate.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwxx97+jbBPutmBOnUuTvUvM28fwUczkwSKjLh2/MP62Sr2G9
nluThw9Hk9q2va/HLW/j9GqCbEQJ7fiFK8OtzuYSS0I/eSlMnNN1nax4x0bbXMFN
X+APHC3uCPOt22KfWeh4rrEjyK2M1q6hvMPb5elFhgiTKcB8BTsuDkJV7MAIKMTh
ehHlzk4Gir2z9k2efUTS9JP64gH6nFAfNpb4gYUQKU6lJRfWctJ3nBmjaogRagHG
Dc6PDYi0sRmY2l+q6Wb4kJFOLs1/Z6K2hjoTfuZGfyE1Wp/9+8jQEsY+YO/2Yw6b
WIz1rrGLjW4P7D4fxKOYMrAnM80B+rFoyLGubwIDAQABAoIBAGYl2Y0r5Na0CQtQ
Zs6QSverm72O0woMC8pOjNfoYQ+JiP1G96YbnZ4dEsVGwVuH1ohkRvzkcknKSUSM
UvQ5qxph+3vpQB/nzlNgpfgZntX9s8TY8vBZ9q8zIKcRJJlyBalleyFCXlCnA9A1
dznDdLHmsd5dSOaX/pYiiJcwhZm/eJ/eYdPzsTNIAtM2R8irTnkqSw9PQSfNQxo0
3IwBILp5kRCZzSLRvePeHj1Qv8IiPfPGDn54duhuHnzshkBXrXU4Sv9A4xpULH7J
LSaw+qNTmbQAD9KBCZy6tdZiSWZYZg1Z8h1rKIgN2lxKZ0ItStixcewh0lN4qUU4
8QkM5tECgYEA9pnfn+FNSoSEkUaHXmL2GRMmrcUS8j2hZCXdfTwrlKQFvUidoc/S
KWduWJhK0LW09r+HI8kFM6kdvDpLaNQNSE8/Xkb6av9UazRkZFlk/yMUPFisYP50
B/4ywOlWt+imGbufXypyHzYvpH9dr24+w8Pe4KyBRwP42IPP8A94u4kCgYEAyow5
cVxSO7fnmbKZcOJAHzNVCQ1vG8tje7+LijkNCcg3RlOncTs9t5FRpYGvbvOSsPiR
SLGIiBXd1A2j5Xsvwmd+yOaWjI1gilr/vLqfkrQoq8blQXP1flhXY4CNIBVD9Qn7
SPz6fnb3skI4IiRxyoSTPqn2F8UzjCOeusMpRDcCgYAiPcN7Y8Fjs3rk4TIyvPMH
EE2ym0bCNCSQz2Et3oj+nrfdTJP2v/CipyX/T0Y0LMbv7DBLm8IJJlZmqIGIEMm3
XKmj4Z8r9EA4kpHODUuk0a4hov5siWh7I6TQfJX5+2f08sRyZmZqRw/ee4D6twgo
Dq6H6+wXfEm1Zrgc0UkmYQKBgEmBqjchshZKH5r/3f/BnFO2ZV3rqi8EGQ6H7TQ0
kC7Eooq7QUEupq8/5cmSzwANFWd0TgV7qHj6to6GhLx7gFGlDbYLOQe5JxgO/lCX
yeGL0FbGz9x5INbBaLWLqavDC+6ZuMA8TwwmUK44qfZ6E3HTuzw6ojzuLE7nfmt4
+DjxAoGAKShIDzYFoQDMywk+z1Ih0N1fW6vM9IvIVVSWn/sTADnWxk6W3NqwMBqi
TvYW5uywOHu2QARZNIermf2N3c+MG1b0XhuvMQtpHC4N++F3eZwQlInL897USE+I
Ne2fhjkHbGzFgFhIYx5WRYhoQsiBzlmw8w05LPjYuGfF2OagUBE=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICmDCCAYACAjA5MA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCWxvY2FsaG9z
dDAeFw0yNDA3MTExNDI2MzJaFw0yNDA3MTIxNDI2MzJaMA8xDTALBgNVBAMMBGZy
ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDHH3v6NsE+62YE6dS
5O9S8zbx/BRzOTBIqMuHb8w/rZKvYb2eW5OHD0eT2ra9r8ctb+P0aoJsRAnt+IUr
w63O5hJLQj95KUyc03WdrHjHRttcwU1f4A8cLe4I863bYp9Z6HiusSPIrYzWrqG8
w9vl6UWGCJMpwHwFOy4OQlXswAgoxOF6EeXOTgaKvbP2TZ59RNL0k/riAfqcUB82
lviBhRApTqUlF9Zy0necGaNqiBFqAcYNzo8NiLSxGZjaX6rpZviQkU4uzX9noraG
OhN+5kZ/ITVan/37yNASxj5g7/ZjDptYjPWusYuNbg/sPh/Eo5gysCczzQH6sWjI
sa5vAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABGOlzlCSRUvpcbw2+A311AGKP/6
pG5Zln1XHgjfai80S5MmLWzatF20eZnd0+Fg/t8ujI3Bmjoy6EB8ViykzfdqGw6v
6qHK12VVV4Dh2PcihcQuMZS9Jjdo5XAw11lW36YdZcLWavdJtdT5EHdRMbKEtk/S
lcnh/E3HaqTgAZ+upMAywj3DxXmfrt2R1/Pa6hzNviwuZdw3eOFp/oHk5gfu8LkY
jULarNWLHXZJWQWn0q8PhQS9POGtPdrfaWNCsgYml2kRmvRWMoJWsDSokNow1aTT
2aJhQuSeTDarVUg7gfV4gK3SY4erOg0HATvDGkTA271js1D0OlR7ouWVP5g=
-----END CERTIFICATE-----

Key generation is possible, but this is unnecessary as I already obtained the credential of the fred user

certs.js

barney@b3dr0ck:~$ cat /usr/share/abc/dist/certs.js 
"use strict";var __read=this&&this.__read||function(o,n){var m=typeof Symbol==="function"&&o[Symbol.iterator];if(!m)return o;var i=m.call(o),r,ar=[],e;try{while((n===void 0||n-- >0)&&!(r=i.next()).done)ar.push(r.value)}catch(error){e={error:error}}finally{try{if(r&&!r.done&&(m=i["return"]))m.call(i)}finally{if(e)throw e.error}}return ar};var __importDefault=this&&this.__importDefault||function(mod){return mod&&mod.__esModule?mod:{default:mod}};Object.defineProperty(exports,"__esModule",{value:true});exports.generateCredentials=void 0;var safe_1=__importDefault(require("colors/safe"));var fs_1=__importDefault(require("fs"));var pem_1=__importDefault(require("pem"));var path_1=__importDefault(require("path"));var child_process_1=require("child_process");var SERVICE_SERIAL=12345;var SERVICE_CERT_DIR=path_1.default.join(__dirname,"..","certs");var SERVICE_KEY_FILE="server.serviceKey.pem";var SERVICE_CERT_FILE="server.certificate.pem";var SERVICE_KEY_PATH=path_1.default.join(SERVICE_CERT_DIR,SERVICE_KEY_FILE);var SERVICE_CERT_PATH=path_1.default.join(SERVICE_CERT_DIR,SERVICE_CERT_FILE);var SERVICE_CERT_LIST=function(){return(0,child_process_1.execSync)("ls -al ".concat(SERVICE_CERT_DIR,"/ | grep -v server")).toString()};var SERVICE_HELP="\nCert Tool Usage:\n----------------\n\nShow current certs:\n  certutil ls\n\nGenerate new keypair:\n  certutil [username] [fullname]\n";var SERVICE_HELP_LIST=function(){return"\nCurrent Cert List: (".concat(SERVICE_CERT_DIR,")\n------------------\n").concat(SERVICE_CERT_LIST(),"\n")};var epicFail=function(msg){console.log(safe_1.default.red("EPIC FAIL: ".concat(msg)))};var writeKeysSync=function(name,keys){for(var k in keys){var data=keys[k];var filename=[name,k,"pem"].join(".");var filepath=path_1.default.join(SERVICE_CERT_DIR,filename);fs_1.default.writeFileSync(filepath,data);if(!fs_1.default.existsSync(filepath)){throw new Error("Failed writing file: ".concat(filepath))}if(["certificate","clientKey"].includes(k)){console.log(safe_1.default.dim("Generated: ".concat(k," for ").concat(name,": ").concat(filepath)))}}};var generateCredentials=function(){var args=process.argv.slice(2);var _a=__read(args,2),arg0=_a[0],arg1=_a[1];if(/ls|list|show|find/i.test(arg0)){console.log(SERVICE_HELP_LIST());process.exit(0)}if(/help/i.test(arg0)||args.length<2){console.log(SERVICE_HELP);process.exit(0)}if(args.length!==2){console.log(fs_1.default.readFileSync(path_1.default.join(__dirname,"../art/lol.txt")).toString());epicFail("wut am i supposed to do with: ".concat(args.join(" "),"?"));console.log(SERVICE_HELP);process.exit(69)}if(!fs_1.default.existsSync(SERVICE_KEY_PATH)){epicFail("Missing service certificate: ".concat(SERVICE_CERT_FILE));process.exit(69)}if(!fs_1.default.existsSync(SERVICE_CERT_PATH)){epicFail("Missing service key file: ".concat(SERVICE_KEY_FILE));process.exit(69)}var user=arg0.replace(/[^a-zA-Z0-9 ]/gi,"");var name=arg1.replace(/[^a-zA-Z0-9 ]/gi,"");pem_1.default.createCertificate({commonName:name,days:1,serial:SERVICE_SERIAL,selfSigned:false,serviceKey:fs_1.default.readFileSync(SERVICE_KEY_PATH).toString(),serviceCertificate:fs_1.default.readFileSync(SERVICE_CERT_PATH).toString()},(function(err,data){if(err){console.error(err.message||err);return}console.log(safe_1.default.yellow("Generating credentials for user: ".concat(user," (").concat(name,")")));writeKeysSync(user,data);console.log(data.clientKey);console.log(data.certificate)}))};exports.generateCredentials=generateCredentials;(0,exports.generateCredentials)();

Zero read-ability

InfoSec LAB

Explorer

b3dr0ck_sudo_privileges_barney

barney

/usr/bin/certutil

certs.js

Interactive Graph View

Table of Contents

Backlinks