In real-world, when you get the root user shell like this, you must restore the ownership to keep it away from the eyes of the system administrators LAB: Not all PATHs are Secure Then after using the su utility to login via root user and get a privileged root shell Now /etc/shadow file is accessible to john user, You can create the password using OpenSSL utility and update in the file. For this lab, you can also use /etc/passwd file to change ownership and update the password A symlink is like a direct connection to the source file, any actions you do on the symlink, it is actually done on the source file. You can create a symlink of the non-accessible files as it will kind of "redirect" all your actions on the source file.Īfter the execution of the cron job, I am now confident that the chown command is indeed using -L to follow all the all symlinks as well. Since you can't copy a protected file as the cp command does here is, it creates a new file in the current directory and tries to read the contents of the source file. Please note, this is all in my mind and it's not any hard-and-fast rule to use -L with chown. In this -Lin chown means to follow symlinks. So we can infer that after copying the file, it is changing ownership of the files using the following code ( this is just what I have thought of) rm -rf /opt/archive/john # remove the dirĬp -r /home/john/files/ /opt/archive/john # copy files directory as johnĬhown -RL john:john /opt/archive/john # recusively change the ownership On creating a file in /home/john/files with john user and student group, the cron job copied the file to /opt/archive/john and the group is changed to john. When you escalate your privileges from a non-privileged user to another non-privileged user, the process is called horizontal privilege escalationĪlso, I found the archive folder, the intuition came from message printed by /usr/bin/hello-john You will see on execution it will spawn bash shell of john user, but student group. The hello-john-message binary is not accessible to the world, but /usr/bin/hello-john is using the path from $PATH environment variable.Ĭreating the same file in the current directory with malicious code to escalate to the john user. When I looked for the strings in /usr/bin/hello-john binary, I found that it using system function to execute some hello-john-message binary On executing, it is simply showing a message regarding backup On checking for SUID binaries, I found that /usr/bin/hello-john is a suspicious binary with the owner set to john user. Since in this case, /tmp/ folder is empty and also there is no file in the home directory of the student user. On checking cron job service status, I found that it is running and the user has sudo privileges to manage the service So let's begin LAB: Symlinks Get Me Worried Here I will be discussing other labs that couldn't fit there If you haven't checked that out yet, you must go and read that post first – here I have already explained the basic misconfigurations there. This part is in continuation of my last post on cron job exploitation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |