A good choice to start learning is
Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.
Let's start with the first category: App - Script.
The seventh challenge that we face is: SSH Agent Hijacking:
Vulnerability type:
- Privilege Escalation by Agent Forwarding
##################################################
On the web page of the challenge, click on "Start the challenge". If a game is already made, click on Join the game otherwise you need to start a new one. If it asks you to choose a virtual machine, choose "SSH Agent Hijacking" and click on "Save" button, then click on "Start the game" button. If the game was not made before, you should wait to the booting up of the system.
When it indicates the host where you need to connect, connect to it by typing:
- ssh admin@ctfXX.root-me.org
Now you are inside the target machine and our purpose is to get the /passwd file and the /root/.flag file. But you need to take the privileges of the root user to access these files.
How you can do this? You can exploit it by the agent forwarding.
The admin frequently connects and we should hijack his ssh-agent to get root on this box.
By documentation, we know ssh-agent is providing a socket for authentication and as we are using the same account we will have the same permissions. The socket is set using environment variable SSH_AUTH_SOCK.
You know that each minute you receive a wall message "Good Luck" by the administrator.
Looking around, you can see that on the ~/.ssh directory you have a authorized_keys file that contains the public key of root user (I think). If you try to move/rename/delete this file, the message from the administrator won't appear anymore.
Furthermore, I noted that in the /tmp folder, when the message appears, a directory named ssh-[random-char] is created and it contains a file called agent.[randomnumber], but this directory is deleted after some seconds.
If we are fast, we note that the file agent.[randomnumber] is a socket file (just look by file agent.[randomnumber] command).
It means that I can use that socket to authenticate myself as root user, but that socket file becomes invalid when the directory and the agent file are deleted (that is when the connection from the administrator is closed).
Thus the task is to be fast like the hell!
How can we do this? I made a bash script:
#!/bin/bash/expect -f
cd /tmp/ssh-*
export SSH_AUTH_SOCK=$PWD/$(ls)
ssh-add -l #Lists fingerprints of all identities currently represented by the
agent.
ssh root@localhost
whoamiThen I used ssh-add -l to list fingerprints of all identities currently represented by that agent assigned to SSH_AUTH_SOCK. We use it to verify the socket is usable. This command gives the following output:
2048 SHA256:8MiGCoeKkpOmI8UXQ80981aMeAgpwhbJ1gcoBjFcGjQ /root/.ssh/id_rsa (RSA)
Here I understand that to that agent is associated the private key of the root user.
If we were too slow, the output of the command was "The agent has no identities" because when the connection of the sysadmin has been closed, the agent becomes useless.
At the end of our script we connect quickly to the system as root by the command "ssh root@localhost", localhost because we must connect to the machine where we already are connected as admin.
whoami is used to see if I am authenticated as root.
When should we execute our script?
When the wall message appears, QUICKLY we must execute the script by:
- source script.sh
NOW YOU ARE THE ROOT!!!
Just access to /root/.flag to get the password to make successful the challenge and /passwd that contains the solution password to close the game.
Useful links:
Thanks for presenting the useful information about app security.
RispondiElimina