4

I am doing a ctf and I am in the last step of it --privilege escalation. With the sudo -l command, the output was this:

Matching Defaults entries for nick on 192:

always_set_home, !env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",!insults, targetpw




User nick may run the following commands on 192:
    (ALL) ALL
    (root) NOPASSWD: /restart-apache

I know that env_reset shouldn't be disabled but I can't figure out the way to use it to get root access!

$ file restart-apache
restart-apache: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=1b1a4ab278b2d1be83e8b14adfc358cfd277d655, for GNU/Linux 3.2.0, with debug_info, not stripped
Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
stevenman
  • 49

3 Answers3

6

From the sudoers man page:

If, however, the env_reset option is disabled, any variables not explicitly denied by the env_check and env_delete options are inherited from the invoking process.

So, you can insert arbitrary environment variables to the launched process.

You don't show what sort of a program /restart-apache is, but if just so happens to be a shell script, this should be easy. Can you think of any environment variables that would affect what it does? What happens, exactly, when a shell script runs pretty much any command? Where does it find it?

Ok, turns out I didn't get lucky, and it was an actual compiled program instead, so it probably doesn't run that many commands via PATH. It still might, but it's hard to count on that.

That output from file looks like it might be truncated: the output I get from file /bin/ls is this (split to multiple lines):

/bin/ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
for GNU/Linux 2.6.32, BuildID[sha1]=3c233e12c466a83aa9b2094b07dbfaa5bd10eccd,
stripped

(The full path to the interpreter is missing from the output in the question.)

If your program uses ld-linux-x86-64.so.2, as all "normal" dynamic executables do, we can start looking at what actually happens when you run such a program. E.g. from here: What is /lib64/ld-linux-x86-64.so.2 and why can it be used to execute file?.

Spoiler: the program itself isn't what first runs.

We also find the man page of the dynamic linker. That man page lists some interesting environment variables, which affect the way the program is set up when started, the ones with names like LD_*. You may need to do some coding to get it to do what you want.

ilkkachu
  • 138,973
  • i edited my initial post and added the "file" command to help you understand what is restart-apache! – stevenman Feb 19 '21 at 16:01
  • @stevenman, so I didn't get lucky, too bad. Okay, edited to add some pointers to how dynamic executables are launched. What you're doing sounds enough of an exercise that I'm loath to give straight answers, but want to try to also leave something for you to find. I'm just evil like that, sorry. – ilkkachu Feb 19 '21 at 21:37
3

env_reset is not set and env_delete does not contain LD_PRELOAD and env_check is unset. LD_PRELOAD=/tmp/sploit.so and root is yours.

The code in sploit.so would be:

#include <unistd.h>
void *malloc(size_t size)
{
    static const char* run[] = { "/bin/sh", NULL };
    static const char* env[] = { "PATH=/bin:/usr/bin:/sbin:/usr/sbin", "IFS= \t\n", NULL}
    execve(run[0], run, env);
    _exit(255);
}
Joshua
  • 1,893
  • Unfortunately the output is: sudo: sorry, you are not allowed to set the following environment variables: LD_PRELOAD – stevenman Feb 20 '21 at 11:29
  • @stevenman: There must be more restrictions than in the question. I'm not going to get very far without the source for restart_apache. – Joshua Feb 20 '21 at 16:07
  • @stevenman: can you run a feature probe and see if you can set variable Z? I've got a sneaking suspicion that things are not as they seem. – Joshua Feb 20 '21 at 16:10
  • I ve got a hint that the restart-apache is running a command without specifying the path. So i have to find some information about the excecutable, but im totally noob in reverse engineer... – stevenman Feb 20 '21 at 17:22
  • @stevenman: in which case the attack is probably PATH=something; you could read strings on the binary or just try PATH=/tmp and read error messages. – Joshua Feb 20 '21 at 17:25
  • Itried strings /restart-apache and from the ouput i found "systemctl restart apache2". You think is usefull? – stevenman Feb 20 '21 at 17:33
  • @stevenman: Yup. So if systemctl were to be resolved out of /tmp... – Joshua Feb 20 '21 at 17:38
  • Hm could you be a little more specific please : D – stevenman Feb 20 '21 at 17:41
  • Should i make a bash reverse shell called systemctl and /restart-apache will use it? – stevenman Feb 20 '21 at 17:49
  • @stevenman, if the program runs systemctl blah blah, using the path, and you set PATH=/tmp for it, then it'll run /tmp/systemctl, which you can handily provide as a shell script if you like. What you do there, is up to you, you could run a reverse shell directly, or just download/install whatever you need on the system. Like adding some lines to sudoers, or making a setuid copy of the shell (though note that at least Bash doesn't like that much, you'd need to run it with the -p option, then.) – ilkkachu Feb 21 '21 at 21:59
2

Just to supplement ilkkachu's answer:

If you can execute something with a custom LD_LIBRARY_PATH you can force it to use different standard libraries. Very many things link to libc.so. You can check this with ldd. Eg ldd $(which ls):

linux-vdso.so.1 (0x00007fffcc103000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fb4550ff000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb454f0d000)
libpcre2-8.so.0 => /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fb454e7d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb454e77000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb45515b000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb454e54000)

Now, you can create a custom libc.so that mimics the standard one by loading the main system one dynamically and having every call forward to the system one... now you have that you can replace any standard C function in that spoof library to do anything as well as what it's supposed to.

So you can create a spoof libc.so which spawns a new root shell (sh, or bash) for the user when malloc() is called the first time.

All this means if you give someone just sudo access to run a single program, that program can be tricked into running anything by setting LD_LIBRARY_PATH and supplying a spoof library (libc.so).

Philip Couling
  • 18,733
  • Thank you for your response. I ldd /restart -apache and found 3 libraries which restart-apache uses. So i made a script and rename it with the same name as the used library. But whene i sudo LD_LIBRAY_PATH=/tmp/libc.so.6 /restart-apache the output is: sudo: sorry, you are not allowed to set the following environment variables:LD_LIBRAARY_PATH – stevenman Feb 20 '21 at 12:37