sabato 10 novembre 2018

RootMe - CTF App Security - SSH Agent Hijacking

I'm considering seriously the CTF topic, it is so funny but I need to learn more and more.

A good choice to start learning is

Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.

Let's start with the first category: App - Script.

The seventh challenge that we face is: SSH Agent Hijacking:

Vulnerability type:
  • Privilege Escalation by Agent Forwarding


On the web page of the challenge, click on "Start the challenge". If a game is already made, click on Join the game otherwise you need to start a new one. If it asks you to choose a virtual machine, choose "SSH Agent Hijacking" and click on "Save" button, then click on "Start the game" button. If the game was not made before, you should wait to the booting up of the system.

When it indicates the host where you need to connect, connect to it by typing:
  • ssh
The password to connect is "admin", as suggested by the track of the challenge.

Now you are inside the target machine and our purpose is to get the /passwd file and the /root/.flag file. But you need to take the privileges of the root user to access these files.
How you can do this? You can exploit it by the agent forwarding.

The admin frequently connects and we should hijack his ssh-agent to get root on this box.
By documentation, we know ssh-agent is providing a socket for authentication and as we are using the same account we will have the same permissions. The socket is set using environment variable SSH_AUTH_SOCK.

You know that each minute you receive a wall message "Good Luck" by the administrator.

Looking around, you can see that on the ~/.ssh directory you have a authorized_keys file that contains the public key of root user (I think). If you try to move/rename/delete this file, the message from the administrator won't appear anymore.

Furthermore, I noted that in the /tmp folder, when the message appears, a directory named ssh-[random-char] is created and it contains a file called agent.[randomnumber], but this directory is deleted after some seconds.

If we are fast, we note that the file agent.[randomnumber] is a socket file (just look by file agent.[randomnumber] command).

It means that I can use that socket to authenticate myself as root user, but that socket file becomes invalid when the directory and the agent file are deleted (that is when the connection from the administrator is closed).

Thus the task is to be fast like the hell!

How can we do this? I made a bash script:
#!/bin/bash/expect -f

cd /tmp/ssh-*
export SSH_AUTH_SOCK=$PWD/$(ls)
ssh-add -l #Lists fingerprints of all identities currently represented by the
ssh root@localhost
So I assigned the agent file to the SSH_AUTH_SOCK environment variable so that I can authenticate as root user.

Then I used ssh-add -l to list fingerprints of all identities currently represented by that agent assigned to SSH_AUTH_SOCK. We use it to verify the socket is usable. This command gives the following output:

2048 SHA256:8MiGCoeKkpOmI8UXQ80981aMeAgpwhbJ1gcoBjFcGjQ /root/.ssh/id_rsa (RSA)

Here I understand that to that agent is associated the private key of the root user.
If we were too slow, the output of the command was "The agent has no identities" because when the connection of the sysadmin has been closed, the agent becomes useless.

At the end of our script we connect quickly to the system as root by the command "ssh root@localhost", localhost because we must connect to the machine where we already are connected as admin.

whoami is used to see if I am authenticated as root.

When should we execute our script?
When the wall message appears, QUICKLY we must execute the script by:
  • source
It will ask you to confirm the authenticity of the host, you just enter by keyboard "yes", quickly.


Just access to /root/.flag to get the password to make successful the challenge and /passwd that contains the solution password to close the game.

Useful links:

1 commento: