TryHackMe! Abusing SETUID Binaries - Vulnversity

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody my name is John Hammond it's been a little bit since I posted a video so I wanted to get back into the swing of things we're gonna be doing some try hack me let's do the Volta versity room over on the website there so I'll switch to my screen here and we will go ahead over to the activities section where we can look at all of the rooms that are available and vulnerable for so once this goes ahead and loads take a little bit of time there okay cool Vollmer s'ti is here learn about active recon and web app attacks and privilege escalation so let's go ahead and join room that green button there and once that lets me in we should be able to tackle this I do have my VPN can downloaded so I'll go ahead and connect with that that's just the John Hammond YouTube VPN key login to the password there now that that is connected let's spin that up with a new terminal and let's make a directory for vol niversity good I guess I had a Lynne I in that whatever so we will need to deploy the Machine and that will go ahead and take a little bit of time but we'll have an IP address alone oh but jot that down here helps to say in that let's let's make that the correct name just for the Internet's sake and let's make an IP address text file just so I can keep track of things I ended up aliasing nano2 vim so that's just my convenience as it needed so that's deployed let's go ahead and see if he's actually up let's ping that still taking a little bit of time so we'll stand by but that task just to deploy it should be done nice and easily and then we're gonna want a head want to go ahead and end map the machine so we use n map do I have him up and stalled I should and okay good I'm working off of a Cali install right now so theoretically everything should be working they okay for me so we could use the end map syntax that they recommend with n map tak SV typically just out of the nor mind abusing attack SV and TAC SC and trot hack me is really really nice they actually just specify hey here's a good little cheat sheet or some information on what some of the flags the arguments of parameters actually do so that TAC SC that I normally do will also scan the default and map scripts because the nmap scripting engine or NSE is fantastic so SVU will attempt to determine versions and that's gonna be super duper handy especially if we're gonna be trying to track down some vulnerabilities and exploits so it looks like that ping response came back let's make a directory end map for some quick work here and let's use an map tech as see because I like to use that attack as veto numerate versions I will attack Oh n so I can save it in that M app directory I'll just called initial and the IP address so now that that is started we could go see what it's actually gonna ask us to determine scan the box how many ports are open okay we'll find that out as soon as we get into our map results back what version of the squid proxy is running on the machine okay we can assume squid will be in there how many ports will nmap scan if the flag tack PE up to 400 is used well okay so tack P up to a number will specify port scan for all ports up to that tack PTAC with nothing we'll go all the way up to port 65535 and tack P tack up to a certain number will go up to that number so we can just specify that should be 400 as the total number of ports scanned and once to try Acme lets me know yep that's correct okay if using the N map flag tack and what will it not resolve so going back will let n map finish over there but let's check out the man page for n map because we can see over here and there cheat sheet they actually don't discuss the tack n flag I'll actually just search with that with a forward slash tack n ford slash lets me search in paginated output or less here and that tag end will never do dns resolution okay so we could specify it will not resolve DNS as our answer here good that should submit and now we have our results back so let's kill that window and let's go take a look at what we have so FTP is open vs FTP D three point zero point three two SSH is open port 22 probably Ubuntu okay looks like we have a lot of telltale signs for Ubuntu NetBIOS SMB four four five squid proxy here interesting oh but we also have the version number that was asking the Apache server is running on quad 3 so how many ports do we have total 1 2 3 4 5 6 ok so that's that first answer how many ports are open we have 6 what is the version of the squid proxy let's grab that here 3 5 12 slap that in what is most likely the operating system that that machine is running we saw a lot of telltale sign for Ubuntu so let's give that a go and what is the port that the web server is running on so quad 3 you can see is running HTTP and that's Apache so we got a version number there if we wanted it but quad 3 go ahead and submit it's important to ensure you're always doing your constants thoroughly before progressing knowing all open source excuse me services can also be points of exploitation is very important don't forget to scan for ports at on higher range so always came through ports even after a thousand so yeah let's go ahead and do that leaving leaving that running in the background I'll be aggressive with that I'll use tack a and let's call it all ports and we'll specify that tack PTAC so we go all the way from 0 to port 65535 there we go we'll let that run so we know that there is a web service or a web server running on port 3 3 3 3 quad 3 so we could go ahead and take a look at that I will slap that IP address in go take a look at this page it says Voland University and a nation can prosper in life without education cool very cool ok so now we could start to do our normal enumeration and reconnaissance on this website you can use neato we could do a little bit more nmap stuff we could do some other enumeration with der bus or go Buster and that's actually what they recommend we're going to end up using go Buster to go ahead and find other directories or locations on this website so we could download build roster they give us a link here I'm running in Cali I did have to install it I think from my version so go Buster I just needed to a little sudo apt to install go Buster and now we'll end up using it with our Durer as our use directory or file brute forcing mode and they recommend that here and we can go find our word lists over in user share word lists so we'll need that IP address so let's use go buster tech you HTTP that guy on port quad 3 and we'll use a word list with the tak W argument so I'm gonna end up grabbing one out of user share wordless and I think it's der buster is what I like to use and there is a directory list in two point three medium is kind of what I like to use so attack you shorthand flag you in tuck you what does that mean what what do you talk oh oh I forgot the word derp I don't know why I do that constantly okay so now he's rolling through it we can see an images directory we can go take a look at that while we're here looks like that has a lot of potential pictures in your nice dude that's awesome that's what we all came to YouTube for CSS JS for JavaScript cascading style sheets so a little bit more static information looks like that is being displayed with directory indexing so that's kind of neat we might be able to track down some other potential files in there if we wanted to of course we could run Nick Doe do I have that installed I do yeah let's run him let's run neato we're gonna need that HTTP PPP quad three three three good he's rolling but we also found some interesting thing here slash internal seems kind of new so let's go check that out slash internal nice and looks like there is an upload functionality there so that is what Troy Hackney expected us to find we did want to find this slash internal page we can go ahead and submit that and good that's correct and we do want to end up saying yes we successfully ran go Buster's now that task 3 is done why isn't tacked to done yet Oh forgot to take complete up there okay good now let's go take a look at tasks for compromising the webserver so now that you found a form to upload files we can leverage this to upload an execute our payload that will lead to compromising the webserver try to upload a few files with a server what common extension seems to be blocked okay well my knee-jerk reaction to this we can ignore you Neto and we can probably stop go bus sir now that we found a location my knee-jerk reaction this is to trying to upload a PHP reverse shell so if you don't have that installed you can go take a look at PHP reverse shell github is gonna showcase one that comes out of pen test monkey and this one is pretty awesome because it's a very very stable and saw would PHP reverse cell so I'll just grab this I'll save it in my op directory because I'm probably gonna end up wanting to use this more often I don't think I actually have it in here just yet so let's make a directory red shell I was gonna call it exploit but it's really not what it's doing so let's go ahead and copy that opt PHP rubber shell into this directory and let's modify this here because I need to know my current IP address for this interface inside the VPN so I'm looking at that ton zero interface and that's 10 826 10 so we'll change that here my IP address and we'll use a new port I'll use 9001 because it's over 9000 - shout-out to you if sec i love that joke okay and now we can try to upload a few files to the server what common extension seems to be blocked well let's go ahead and start to listen on a port so in case this executes 9001 little extra there and let's move that PHP reverse shell to just something simple read shell dot PHP so that's nice and easy for me to access let's go to CTF try hack me involve ersity per Rev she'll read she'll upload that it says extension not allowed ok a little annoying right so what this is telling me is that let's try that PHP not allow that try Hackney suggests we could go ahead and kind of enumerate what things might be useful out of burp suite go through a couple of extensions of p4 PHP files and see one of them maybe will be allowed and one of them might not so obviously we know dot PHP won't work we could try it out PHP 3 dot PHP 4 dot PHP 5 etc etc so they're doing this with burp suite I kind of want to change the game and I want to do this with Python because I think that might be a little bit of fun and we could do some cool learning in that so let me go ahead and create a little ape script I'll use use urban environment Python if I could type and I'm gonna end up importing requests do I have requests will that work yeah okay cool so let's grab the URL here let's just change the IP address make that its own actual variable I'm going to use some F strings just to be able to put that in place because in case I need to revert this machine or something I will be able to change that really easily in my script I should be using aardvark tool but I'm not just yet we could do that if we wanted to so this is gonna end up posting to just itself index.php with some files in there the type is file that's the name of it names file and ID is file ok then we just need to go ahead and submit all that so let's try to use Python requests to upload a file I just want to showcase the documentation here so you can see it really nice and easily I'll go to their QuickStart file post a multi-part encoded file so we have our URL we just defined that and they actually specify files as a dictionary with the file name that you want to end up working with so let's say our file name can equal web shell and then let's say extensions can be a good list of everything they already suggested let's say dot PHP let's say PHP 3 PHP 5 PHP HTML that's all that they suggested within triac MS in their PHP 4 is also in the mix whatever let's just be nice PHP 4 ok cool so what we'll do is we'll say files can equal file because that is exactly the name of the argument that the page is going to end up taking let's clear that let's clear that so post URL with files equals files and we do go ahead and open it in that binary mode so let's try that that's all they're doing yep so let's open and let's say let's do this over and over again so let's do 4 or file in extensions let's change that to ext will do file name equals and I'm going to use oh s so that way I can actually properly join these segments of a file name so I like to use OS dot path dot join file name and extension so just for sanity check let's display that ok so that's getting a little bit messy file name equals that let's just say file there we go and printing filename when we want to be printing file ok great I do have a forward slash in there because it's using join as if they are directory so maybe that's not what I ended up needing to do annoying let's just do file name plus extension sure whatever I guess we don't need OS for the time being but we will end up needing to change that so we could also specify headers explicitly that's kind of neat those are some other interesting things we could do with that file but we're going to end up needing to rename this so because we have this we can specify files can equal file open file RB and let's do a requests dot post to that URL with files equals files so then that should return a response object for us I'll just call that R so we can keep track of it and we'll go ahead and see what it says and it tried to do a few of those but that's the only one that works extension not allowed okay so now we know that the dot php' one because it's trying that first was getting that extension not allowed so we can say if extension not allowed in our dot text we can print let's just say extension not allowed we can say and otherwise we can say seems to be allowed maybe and let's go ahead and rename that file to the original file let's just call it hmm how do we want to keep track of the previous file name this is peculiar and we could just do a simple Shu till I think to remove a file or Python rename rename a file Oh Renee we'll just straight-up do it Oh s dot rename is that a thing I can do Oh s rename let's just say old file name mmm original file name equals red shell dot php' let's just say new file name equals and let's also said that old file name equal to that old file name yeah we don't even need a regional file name then that variable isn't necessary for it because we're just going to end up updating the old file name after each new one so rename old file name to new file name and then after we've gone ahead and tested something let's rename or let's reset the old file name to be the new file name so it's changing it automatically over over again let's go file is not defined yep because now we are new file name we don't need to print that out anymore PHP is not allowed PHP isn't allowed PHP is not allowed PHP is not allowed a but P HTML seems to be allowed cool so our script simply just determines it in brute-force has some extra files in there without using burp suite which is kind of cool maybe that's showcased a little bit more logic and some quick dirty development and Python wanted to bring that to you guys in case you had any interest simple script simple loop just looping through those and keeping track of the old file name renaming it as we're working through so what we've done now is we have actually uploaded this something as a Reb shell @p HTML so we can say okay yep we've got a completely lit we're not gonna use der Buster or burp suite because I just don't particularly care but P HTML might end up working for us let's go verify manually PHP read shell success okay good enough we know that that one does work so we downloaded a PHP reverse shell we've already done all that now we've set up the listener and we've gone to it we've accessed it so it is in eternal upload I will clean this up a little bit and start the listener one more time so now back over on the upload page if I check out uploads there is a red shell dot P HTML there so let's go ahead and activate that okay great and now I can see that shell came back to me awesome so this is kind of an unstable shell so what I'm going to do is I'm going to use the Python taxi import PTY pto y dot spawn bin bash technique now that will get me a shell and I'll control Z to foreground that and I'll use s TTY raw - echo and now I won't be able to type anymore but I will specify FG wack enter a little bit and then export term equals X term so now I can control L and tab complete and use my left and right arrow keys etc etc so now that we have a shell on the box let's see what's next yep we've gone ahead and got our connection what user is running the webserver okay so let's just run Who am I dub dub dub data is that what it's particularly asking for that's just running Who I am that's not the right number of asterisk so that must not be right let's go find out who the users are on this machine I see a bill user okay and his home directories and slash bill so let's head over there home bill and he has a user txt file if I check out the running processes what do we have here so Apache bill is not running anything root is another option and root is actually running again seemingly no Apache I've solved up the data as it should be maybe we'll just specify bill because that's a user that owns that machine ok click Submit ok good there we go thanks thank you thank you notifications I get it now what is the user flag well we are in his home directory so let's check out user dot txt and we have this little hash here so let's slap that in there and that is the user flag awesome okay so now that task is done now we're on the last one here privilege escalation okay what do we have now that you compromise is a machine we're gonna escalate your privileges and become the super user root in Linux sui de binary's or set owner user ID upon executing it's a special type of profile permission given to a file it gives temporary permission to the user who runs the programmer file with the permission of the file owner rather than the user who runs it for example the binary to change your password as a set UID but on it user bin password and this is did you change your password it'll need to change the rights to actually access the Shadow Rouge file that you do not have access to but root does so it has the ability to do that so you can find it with the S notification on the LS hack L so if I were to use LS Tech L on that user then password it is RWS and you can see that s specifies okay this is a set UID binary on the system search for all s UID files what file stands out okay so we could do this with a little Linux find set UID we could just kind of Google this and they'll this is a pretty well-known thing find in a current directory user root perm that perm 4000 is really the best thing to end up using because that'll specify those files that are set to 4,000 so I'll do that I'll do you find in the root directory with perm tag 4000 and I'm gonna actually redirect the standard error to this because they're gonna be a lot of things that I can't actually access into dev Nell so it's gonna take a little bit to search for this ok scrolling through a few more of these 10 su NTFS mount pink 6 that's kind of normally typically systemctl that's peculiar it's kind of odd oh okay I don't know what that did or why that did that if user Matt okay so it looks like we have a lot of options bin systemctl I'm kind of curious about because I don't I don't think that's often something that is at UID let me try and run this on my machine and find out so find root will do that same perm 4,000 40,000 port for that one yeah and will redirect the standard output to nowhere set an error sorry so some of these might have set UID binaries in here okay so no systemctl is not normal and that's all I just wanted to use my machine as kind of a baseline because maybe systemctl I have it installed it's a thing okay maybe systemctl is our candidate for a potential Pervis let me scroll back down here so let's try him this file stands out in systemctl is not normally one that is a set UID binary so now we've got to treat this far are you able to exploit the system for escalate your privileges well if bin systemctl is a set UID binary we might be able to use that for privilege escalation we can go check out gtfo bins because this is a fantastic resource for potential privilege escalations for some binaries it might happen to be on a system you can do things like get a shell run a command to get a reverse shell read files download files etc etc so let's go take a look at systemctl and because it's running with suid percent UID if it runs with the suid bit and it can probably be exploited to access the filesystem escalate or maintain access and escalated privileges if it's used to run sh you can omit it with TAC P but they give us some code here an example that creates a local authority a copy of the binary and runs it to maintain escalated privileges to exploit an existing su ID binary skip the first command and run the program using its original path ok ok so yeah because it's existing it because it already has set your ID bit we could just copy all of this so it'll create a temporary service file where it will execute some commands so Bennis aged taxi h1 T so it'll just execute there we could do this we could control this maybe it would give us a reverse shell or make this is a good technique that I like to use where I like to change bash to be a set UID binary so I could actually use bash TAC P and then escalate my privileges to become route temporarily like if I check Who I am right now I'm just dubbed active data I don't have any kind of effective user rights but if I were to modify this here's a quick paste in here yep I copied everything that we needed to let's actually grab that a make service syntax and let's execute chmod + S on bin bash so if I don't run this let's check out the rights on bin bash right now it is only executable there's no set UID binary bit so if I were to try and run bin bash attack P which will allow me to keep permissions and privileges I'm still dubbed up to update that doesn't that hasn't changed anything for me so let's try and use this here and we don't need to use systemctl we could specify that as bin systemctl it's not gonna use the period as the current directory like a relative location I want to actually use the full one it's the full path so now that Bash will be executed this commune will be ran as route it'll make bin bash Asset UID binary so when I run bath tach P I can effectively become route so let's try that slap this in ran it created a symlink great and since it has ran with that enable tac tac now now let's check out the rights on that bin bash great now you can see that s here just as we discussed and it has a set UID binary bit so I could simply run bash tak P and now I'm route check that out it still thinks I'm dub-dub-dub data doublet of data but my effective user ID using that tag P permission those privileges that I can retain I am in fact root so now I can go check out the root directory and I could grab that root flag because I have permissions to access this because I am running effectively as root with bash tak P all because we were able to make that bin bash some set UID binary that I can run abusing this systemctl that we were able to execute because that was a cent UID binary so that's kind of cool let's go collect some points here finish this up let's go back to our shell let's cat out that root dot txt file and let's go slap that guy in so we can finish this room alright congratulations you completed the room that was velocity from try Hackney I hope that was kind of cool I hope that was kind of fun I just want to showcase some other techniques I think using Python to roll through that kind of hammering the server's might be kind of cool allows you to have a little bit more flexibility and what it really does and how much more you want to add for some other file extensions I also hope you like that bin bash the set UID technique I like to use that because if you already have access to the Machine and you can execute commands just make bash tach P actually works so you can escalate that's a quick and easy per desk you don't need to like fumble around getting a reverse shell maybe in a small attack vector like we had because we could only run seemingly one line or I guess we could modify that service to do whatever we wanted to but I think that's quick and easy so hey that's that thank you guys so much for watching I hope you enjoyed this video if you did please do press that like button if you didn't press the dislike button twice so I know how much you hated it I don't know I love to see if you could leave a comments hit the subscribe button do all those things the YouTube algorithm love to see you on patreon PayPal discord there's a link in description the server tons of cool people and they're a lot smarter than me Facebook Instagram Twitter LinkedIn and all those other social media things okay thank you guys for watching I'll see in the next one take care
Info
Channel: John Hammond
Views: 101,383
Rating: undefined out of 5
Keywords:
Id: hvYWCegfEZs
Channel Id: undefined
Length: 29min 34sec (1774 seconds)
Published: Thu Apr 09 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.