config directory for the libcalc.so file as shown ls -laĭrwxr-xr-x 12 root root 2820 Apr 17 06:55 devĭrwxr-xr-x 67 root root 4096 Apr 17 08:09 etc On the output above we will note that the executable tries to load the /home/user/.config/libcalc.so shared object within our user home directory, but it cannot be found. We will run the exploit script to gain a root strace /usr/local/bin/suid-so 2> & 1 | grep -iE "open|access|no such file" access ( "/etc/suid-debug", F_OK ) = -1 ENOENT (No such file or directory ) access ( "/etc/ld.so.nohwcap", F_OK ) = -1 ENOENT (No such file or directory ) access ( "/etc/ld.so.preload", R_OK ) = -1 ENOENT (No such file or directory ) open ( "/etc/ld.so.cache", O_RDONLY ) = 3 access ( "/etc/ld.so.nohwcap", F_OK ) = -1 ENOENT (No such file or directory ) open ( "/lib/libdl.so.2", O_RDONLY ) = 3 access ( "/etc/ld.so.nohwcap", F_OK ) = -1 ENOENT (No such file or directory ) open ( "/usr/lib/libstdc++.so.6", O_RDONLY ) = 3 access ( "/etc/ld.so.nohwcap", F_OK ) = -1 ENOENT (No such file or directory ) open ( "/lib/libm.so.6", O_RDONLY ) = 3 access ( "/etc/ld.so.nohwcap", F_OK ) = -1 ENOENT (No such file or directory ) open ( "/lib/libgcc_s.so.1", O_RDONLY ) = 3 access ( "/etc/ld.so.nohwcap", F_OK ) = -1 ENOENT (No such file or directory ) open ( "/lib/libc.so.6", O_RDONLY ) = 3 open ( "/home/user/.config/libcalc.so", O_RDONLY ) = -1 ENOENT (No such file or directory ) A local privilege escalation exploit matching this version of exim can be found on the Debian VM at /home/user/tools/suid/exim/cve-2016-1531.sh. rwsr-xr-x 1 root root 94992 /sbin/mount.nfsįrom the output above, we will note that /usr/sbin/exim-4.84-3 is vulnerable to manipulating its perl environment and it also has its own CVE: 2016-1531. rwxr-sr-x 1 root shadow 31864 /sbin/unix_chkpwd rwsr-xr-x 1 root root 10592 /usr/lib/pt_chown rwsr-xr-x 1 root root 212128 /usr/lib/openssh/ssh-keysign rwsr-xr-x 1 root root 6776 /usr/lib/eject/dmcrypt-get-device rwsr-sr-x 1 root staff 6899 /usr/local/bin/suid-env2 rwsr-sr-x 1 root staff 6883 /usr/local/bin/suid-env rwsr-sr-x 1 root staff 9861 /usr/local/bin/suid-so rwxr-sr-x 1 root tty 12000 /usr/bin/wall rwsr-xr-x 1 root root 39856 /usr/bin/chfn
rwsr-xr-x 1 root root 60208 /usr/bin/gpasswd rwsr-xr-x 1 root root 43280 /usr/bin/passwd rwxr-sr-x 1 root shadow 56976 /usr/bin/chage rwsr-xr-x 2 root root 168136 /usr/bin/sudoedit rwsr-xr-x 1 root root 32808 /usr/bin/newgrp rwxr-sr-x 1 root crontab 35040 /usr/bin/crontab rwxr-sr-x 1 root tty 11000 /usr/bin/bsd-write rwsr-xr-x 2 root root 168136 /usr/bin/sudo rwsr-xr-x 1 root root 37552 /usr/bin/chsh rwxr-sr-x 1 root ssh 108600 /usr/bin/ssh-agent rwxr-sr-x 1 root shadow 19528 /usr/bin/expiry
LINUX EXPLOIT SUGGESTER FULL
We need to locate the full path of the overwrite.sh file with the following find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l \ 2> /dev/null One runs overwrite.sh, the other runs /usr/local/bin/compress.sh. There are two cron jobs scheduled to run every minute. * * * * * root /usr/local/bin/compress.sh # m h dom mon dow user command 17 * * * * root cd / & run-parts -report /etc/cron.hourlyĢ5 6 * * * root test -x /usr/sbin/anacron || ( cd / & run-parts -report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / & run-parts -report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / & run-parts -report /etc/cron.monthly ) # * * * * * root overwrite.sh PATH =/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
These files also have username fields, # that none of the other crontabs do.
LINUX EXPLOIT SUGGESTER INSTALL
# /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d.
Note that the /etc/shadow file on the VM is cat /etc/crontab
LINUX EXPLOIT SUGGESTER PASSWORD
The /etc/shadow file contains user password hashes and is usually readable only by the root user. Weak File Permissions Readable /etc/shadow We are given SSH access to the intentionally misconfigured Debian VM for Linux Privilege Escalation practice. This VM was created by Sagi Shahar as part of his local privilege escalation workshop but has been updated by Tib3rius as part of his Linux Privilege Escalation for OSCP and Beyond! Practice your Linux Privilege Escalation skills on an intentionally misconfigured Debian VM with multiple ways to get root!
0 kommentar(er)
