Nytro Posted May 9, 2020 Report Share Posted May 9, 2020 Privilege Escalation by abusing SYS_PTRACE Linux Capability Nishant Sharma Follow May 8 · 4 min read Linux Capabilities are used to allow binaries (executed by non-root users) to perform privileged operations without providing them all root permissions. There are 40 capabilities supported by the Linux kernel. The list can be found here. This model allows the binary or program to grant specific permissions to perform privileged operations rather than giving them root privileges by granting setuid, setguid or sudo without a password. As this topic is out of the scope of this post, we will encourage the reader to check more on the following links: Linux capabilities in practice Linux Audit Lab Scenario We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment. Lab: The Basics: CAP_SYS_PTRACE This lab comprises a Linux machine with the necessary tools installed on it. The user or practitioner will get a command-line interface (CLI) access to a bash shell inside a running container as the student user, through the web browser. Challenge Statement In this lab, you need to abuse the CAP_SYS_PTRACE to get root on the box! A flag is kept in root’s home directory. Objective: Escalate to the root user and retrieve the flag! Solution Step 1: Find all binaries which have capabilities set for them. Command: getcap -r / 2>/dev/null Finding files with capabilities The CAP_SYS_PTRACE capability is present in the permitted set of /usr/bin/python2.7 binary. As a result, the current user can attach to other processes and trace their system calls. Step 2: Check the services running on the machine. Command: ps -eaf Process Listing (Part I) Process Listing (Part II) Nginx is running on the machine. The Nginx’s master process is running as root and has pid 236. Step 3: Check the architecture of the machine. Command: uname -m Checking system architecture The machine is running 64-bit Linux. Step 4: Search for publicly available TCP BIND shell shellcodes. Search on Google “Linux x64 Bind shell shellcode exploit db”. Searching for shellcode The second Exploit DB link contains a BIND shell shellcode of 87 bytes. Exploit DB Link: https://www.exploit-db.com/exploits/41128 The shellcode The above shellcode will trigger a BIND TCP Shell on port 5600. Step 5: Write a python script to inject the BIND TCP shellcode into the running process. The C program provided at the GitHub Link given below can be used as a reference for writing the python script. GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c Python script: Save the above program as “inject.py” Step 6: Run the python script with the PID of the Nginx master process passed as an argument. Command: python inject.py 236 Shellcode injection If the shellcode was injected successfully, a TCP BIND shell should be running on port 5600. Step 7: Check the TCP listen ports on the machine. Command: netstat -tnlp A process is listening on port 5600. Step 8: Connect to the BIND shell with netcat. Command: nc 127.0.0.1 5600 Check the current user. Command: id Connecting to port 5600 Step 9: Search for the flag file. Command: find / -name flag 2>/dev/null Searching for flag Step 10: Retrieve the flag from the file flag. Command: cat /root/flag Retrieving the flag Flag: 9260b41eaece663c4d9ad5e95e94c260 References: Capabilities ptrace ptrace.h user.h ctypes Linux/x64 — Bind (5600/TCP) Shell Shellcode Mem Inject Sursa: https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc Quote Link to comment Share on other sites More sharing options...