![]() ![]() Note that we will have to change my-user to be the actual user we want to make a sudoer.ģ) Inject a flag which specifies the checkpoint action The shell script should be in the same directory as the wildcard. The line you need to add to /etc/sudoers is my-user ALL=(root) NOPASSWD: ALL.Įcho 'echo "my-user ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh The shell script will append code to /etc/sudoers that will make you a sudoer. Let’s say we have a vulnerable program and cron is being used to run it periodically. By just appending one extra line to that file, we can make ourselves a sudoer as well. These users are specified in the /etc/sudoers file. A sudoer is an user who can assume root privileges. Given this vulnerability, an easy way to gain root privileges is by making ourselves a sudoer. If tar is run as the root user, the commands will also be run as the root user. Since we can inject those flags with wildcard injection, we can use checkpoints to execute commands of our choosing. In tar, there are “checkpoint” flags, which allow you to execute actions after a specified number of files have been archived. Tar is a program which allows you to collect files into an archive. For more detailed information about escalating privileges using /etc/passwd, refer to this article. ![]() If you create a symlink to /etc/passwd in the same directory, then the owner of /etc/passwd will also be you, which will allow you to gain a root shell. Then we create a file which will inject the flag: Let’s say we have a vulnerable program called vulnerable.sh which contains the following: In that case, the owner of some-file.txt will be another-user instead of some-user. Let’s say the owner of some-reference-file is another-user. An example should help:Ĭhown some-user some-file.txt -reference=some-reference-file The following example changes the owner of some-file.txt to be some-user:Ĭhown has a -reference=some-reference-file flag, which specifies that the owner of the file should be the same as the owner of the reference file. Dangerous programs: chown and chmodīoth chown and chmod can be exploited in the same way, so I will only explain chown.Ĭhown is a program which allows you to change the owner of a specified file. This is bad news when a privileged user or script uses wildcards in aĬommand which has potentially dangerous flags, in particular, ones Now what would happen if we ran rm * and had a file in the currentĭirectory with name -rf? Shell expansion of the * would cause theĬommand to become rm -rf a b c and -rf will be interpreted as a ![]() Just rm then it will recursively and forcefully delete files without The problemĪs we know, we can pass flags to programs on the command line to If we have the files a, b and c in our current directory, and we run rm *, then the outcome will be rm a b c. How it works under the hood is that the * character gets expanded to all the matching files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |