Etiket: Suid Bit

Suid Bit

Kategoriler$PATHKaliSuid Bit

Misconfiguration $PATH environment

Yayın tarihi Aralık 12, 2022Yayınlayan Mustafa

$PATH variable is specified to set the file executable file where to located. For example, when we use the ls command we don’t have a to use the full paths ls command. Sometrimes it can be dangerous this situtation because it is a security problem if it is made misconfiguration.

We try to make an example to show the vulnerability. We create a c file as named misconfiguration Binary. c. We assume this file is created file incorrectly.

We complie a c file with gcc.

We change compiled file a.out to misconfigurationBinary.c

We are configuring the suid bit on file.

We create exploit named ls because we abuse ls command and we have to make ls name the file because we will add /tmp file in $PATH enviroment variable for the reason that $PATH variable look current directory firstly to run command. We use Shebang (!#) to execute file without python3. Thus, we add first command.

#!/usr/bin/python3

We give the file execution permission.

We add tmp file in $PATH environment variable with export command.

 export PATH=<the path you want to add>:$PATH

We run missconfigurationBinary and we get root.

KategorilerSuid BitVulnhubWalkthroughWordpress

DC6 Vulnhub Walkthrough

Yayın tarihi Ekim 10, 2022Yayınlayan Mustafa

Target machine ip is 192.168.209.130

DC6 can found on the vulnhub website.

We scan target machine with nmapAutomator.

We find some usernames who can be useful

We connect the website and we see the website which has been made by wordpress

There is a clue from creater who made the target machine. We make it

He gave such a clue it looks like there will be bruteforce attack. We bruteforce wordpress page with wpscan who is very powerful tool for wordpress site.

We find password that is matched the username.

We login in to website.

activity monitor looks like interesting and we search on website who is name exploit-db

We find that can use related exploit and we change necessary parts.

exploit

we open file with firefox and we see the html page which has one button.

Before, we press button.We execute nc command

We get shell in the system.

we find strange file under the mark file

the file gives logon information about the graham contact. We connect with graham via ssh.

We create an http server linpeas to attack the target machine. we download with wget in target machine

We execute linpeas and we find suid bit.

we change backups.sh.

We execute /home/jens/backups.sh

we execute linpeas again. We find suid bit

We search privesc via nmap command.

We get root