0

I'm struggling with a machine (it's intended to be used for pen-testing training, it has been given by the university professor).

I've got a foothold into the machine and I've passed from www-data to developer, and there is another user called jamal with clearly important information to get root, who's the objective of the study.

I managed to find a folder /opt/scripts where there two files, utils.sh and backup.py. I can't edit neither of them since I don't have privileges (even the folder is protected).

Besides, I've sudo permission on utils.sh like this:

Matching Defaults entries for developer on app4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User developer may run the following commands on app4:
    (jamal) SETENV: NOPASSWD: /opt/scripts/utils.sh

So I think I can use the program for getting into jamal. For what I tried, creating another echo in another folder with a reverse shell, changing the $PATH and then run it whit sudo -E doesn't work. Any suggestions?

Here's the code for utils and backup:

utils.sh

#!/bin/bash

view_users()
{
    /usr/bin/w
}

view_crontab()
{
    /usr/bin/crontab -l
}


backup_web()
{
    if [ "$EUID" -eq 1001 ]
    then
        echo "Running backup script..."
        /opt/scripts/backup.py &
    else
        echo "Insufficient privileges."
    fi
}


# Non-interactive way
if [ $# -eq 1 ]
then
    option=$1
    case $option in
        1) view_users ;;
        2) view_crontab ;;
        3) backup_web ;;

        *) echo "Unknown option." >&2
    esac

    exit 0
fi


# Interactive way, to be called from the command line
options=("View logged in users"
         "View crontab"
         "Backup web data"
         "Quit")

echo
echo "[[[ System Administration Menu ]]]"
PS3="Choose an option: "
COLUMNS=11
select opt in "${options[@]}"; do
    case $REPLY in
        1) view_users ; break ;;
        2) view_crontab ; break ;;
        3) backup_web ; break ;;
        4) echo "Bye!" ; break ;;

        *) echo "Unknown option." >&2
    esac
done

exit 0

backup.py

#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

dst = '/tmp/backup'

make_archive(dst, 'gztar', src)

PS: the file that backup.py create doesn't contain anything useful: it's all information I already got.

Adriano
  • 7
  • 3
  • 3
    What are you trying to do? Become root? Have you discussed this with Jamal and/or the owner of the machine? – Thomas Feb 04 '21 at 13:54
  • Please add some details which clarify that what you are trying to do is not intentionally prevented in your environment. This is important, because if it is not about you not knowing how and instead a situation of you not being meant to, then any possible solution might fail - and intentionally so. – Yunnosch Feb 04 '21 at 13:58
  • 1
    It's a deliberately vulnerable machine for training, I'll add this in the text of the question – Adriano Feb 04 '21 at 14:00
  • @Yunnosh I don't understand what you're trying to say. English is not my motherlanguage – Adriano Feb 04 '21 at 14:02
  • It is fine. You already answered with "intentionally vulnerable machine for training". And now I can admit that I politely accused you of asking for help with a malicious attack. Seems a reasonably plausible honest learning now. However, I recommend to try your best to make that as plausible as possible, because many users are extremely careful with not helping the black-hat people here. ;-) – Yunnosch Feb 04 '21 at 14:03
  • 1
    @Yunnosh okay :) Anyway, if a black-hat was stuck in a machine like this one (that's meant to be easy-medium) it would be quite a disappointing black-hat ahaha – Adriano Feb 04 '21 at 14:08

1 Answers1

0

This looks dangerous to me:

    (jamal) SETENV: NOPASSWD: /opt/scripts/utils.sh
            ^^^^^^^

Your user developer can run /opt/scripts/utils.sh as Jamal, but also choose all environment variables while that script is being run. sudoers(5) explicitly warns about this:

Additionally, environment variables set on the command line are not subject to the restrictions imposed by env_check, env_delete, or env_keep. As such, only trusted users should be allowed to set variables in this manner.

How is that a vulnerability? utils.sh only executes commands using absolute paths and functions from its local scope, so an exploit using the PATH variable is out of the question. However, there are several other options.

Preloading a library with LD_PRELOAD is one way: the library is loaded as soon as a shell is started to run utils.sh. You can compile your own dynamic library with initialization code that does whatever you need.

An even easier approach is to exploit PYTHONPATH to provide your own shutil.py module, with an implementation of make_archive that contains your payload.

The exact implementation is left as an exercise to the reader ;)

Thomas
  • 174,939
  • 50
  • 355
  • 478