In this article we are
going to grasp another very worthwhile command i.e. “cp” (copy) and will cover
all the basic function of ‘cp” command that a user can use. As we know this
command helps in copying the file/directories from source to destination so, in
this article we will study that how we can attain the utility of this command
in Privilege Escalation.
Table of Content
Introduction to cp
·
Major Operation performed using cp
Exploiting cp
·
SUID Lab setups for privilege Escalation
·
Exploiting SUID
Introduction
to cp
cp stands for copy. This command is helps
to copy files or group of files or directory from its source location to
destination. This generates an exact image of a file on a disk with different
file name. cp command needs at least two filenames in its arguments.
Very first, we will run
its help command to make our readers more aware with the use of “cp” command.
cp --help
Copy single file to destination: As said above
that cp command helps the user to copy the content of source file to its
destination so now, here I am replicating the content of single file (raj.txt)
to new file (chiya.txt). If the destination file already exits so this command
simply overwrites the file without any warning message but if the destination
file doesn’t exist, then first “cp” will create a new file then will copy the
content of source file as per user’s desire.
cp raj.txt chiya.txt
By framing the above command cp will copy all the content
of file raj.txt to chiya.txt as shown in below image.
Copy multiple file to a directory: By the help of
this command we not only copy the single file but also can copy multiple files
to a directory whenever needed. Suppose we have multiple files as shown in the
below image for the reader’s reference and we want to copy all at once to a
specific directory then we can frame command as shown below:
cp 1 2 3 chiya.txt demo/
By this command cp will copy the entire content from the file
“1,2,3, chiya.txt” to mentioned destinated directory. If directory doesn’t exit
then first it will create new directory and will copy the content to it but, if
directory already exits then cp will erase all content from destinated
directory and will simply overwrite to it so be careful while copying the
content from source to location.
Copy source directory to destination: With this
option “cp” command shows its recursive performance by
replicating the entire directory structure recursively. Suppose we want to copy
all files and directories that a directory contains then in this case we will
simply copy whole directory instead to copy its files one by one to our desired
destinated path.
In the below image I have copied the entire content of
source directory “ignite” to destinated directory “demo2” (which is not exits).
One can use -r or -R both argument for this purpose.
cp -R ignite demo2
Interactive prompt: Normally when we use
the cp command then it’s simply overwrites the file if it exists so
to make it prompt for confirmation while copying a file, we will use the option
“-i”. Using this argument, the command will prompt to overwrite
the file which helps the user to save the content from being erased while
copying from source to destination.
cp -i chiya.txt author
Here I want to copy the content of “chiya.txt” to
“author” which have some of its own content so when I will use “-i” option then
it will prompt me for its confirmation of overwriting the text.
Backup a file: Whenever
we need to create backup of the destination file then we will use “-b” option
for this purpose. cp helps to create backup of the file in the same folder with
the different name and in different format.
cp -b chiya.txt author
On framing the above
command cp will create backup of file “author” in the same folder with
different name.
Copying using * wildcard: Suppose we have many
text documents in a directory, and we want to replicate it into another
directory so, copy all files one by one will take lots of time if specify all
file names as the argument but by using *
wildcard it becomes simple.
cp *.txt folder
On typing above command cp
will copy all “txt” to destination.
Force copy: Sometimes it happens when user unable to
open a file to perform writing operation due to permission which is set upon
that in such case we use force copy “-f” option in cp command which helps the
user to delete the destinated file first and then copying of content is done
from source to destination file.
cp -f chiya.txt Example.txt
In
the below screenshot we have seen that Example.txt file doesn’t have write
permission to it so on using “-f” argument followed by cp command user can copy
the content of source file to destination file.
SUID Lab setups for privilege Escalation
SUID: Set User ID is a type of permission that allows users
to execute a file with the permissions of a specified user. Assume we are
accessing the victim’s machine as a non-root user and we found suid bit enabled
binaries, then those file/program/command can run with root privileges.
Read more from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
Now we are going to give SUID permission on cp, so that a
local user can take privilege of cp as root user.
Hence type following for enabling SUID bit:
which cp
chmod u+s /bin/cp
ls -la /bin/cp
Exploiting SUID
For this we will connect to target machine with ssh,
therefore, type following command to get access through local user login.
Then use find command to identify binaries having SUID
permission.
find / -perm -u=s -type f 2>/dev/null
So here we came to know that SUID bit is enabled for so
many binary files, but we need /bin/cp.
As we know, cp has suid permission so taking advantage of
this right we will try to escalate the root privilege by injecting a new user
inside the /etc/passwd file.
First, we will open our /etc/passwd file followed by tail
command which will read this file from its end and help us to know that the
file ends with the user “test”.
Now we are creating salt value of password for our new
user and this will be done by using “openssl” following by the command as
mentioned in screenshot below.
openssl passwd -1 -salt ignite pass123
And we will get our hash value copy it for further use.
On moving ahead for the completion of this task now I
have copied the entire content of /etc/passwd file in our local machine and
will edit a new record for the user “chiya” then paste the above copied hash
password in the record as shown below.
Name this file as passwd and run python HTTP
server for transferring this file into victim’s machine.
python -m SimpleHTTPServer
Now we want to inject our modified passwd file inside
/etc folder to replace the original passwd file. We will use wget to download
the passwd file from our machine (kali Linux) inside /tmp directory.
cd /tmp
Now by the help of cp command we can easily copy the
content of source file to destination as shown in below image.
cp passwd /etc/passwd
tail /etc/passwd
Now let’s switch to user chiya that owns root user’s
privileges and can access the root shell.
su chiya
password: pass123
id
Conclusion: Hence you can notice from the given
below image we have escalated the root privilege by abusing SUID permission on cp.
Similarly, we can exploit the sudo permission assign on CP program.
0 comments:
Post a Comment