Jump to content
Sign in to follow this  
Nytro

Privilege Escalation by abusing SYS_PTRACE Linux Capability

Recommended Posts

Privilege Escalation by abusing SYS_PTRACE Linux Capability

Nishant Sharma
May 8 · 4 min read
 
 
 
 

Linux Capabilities are used to allow binaries (executed by non-root users) to perform privileged operations without providing them all root permissions. There are 40 capabilities supported by the Linux kernel. The list can be found here.

This model allows the binary or program to grant specific permissions to perform privileged operations rather than giving them root privileges by granting setuid, setguid or sudo without a password.

As this topic is out of the scope of this post, we will encourage the reader to check more on the following links:


Lab Scenario

We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.

Lab: The Basics: CAP_SYS_PTRACE

This lab comprises a Linux machine with the necessary tools installed on it. The user or practitioner will get a command-line interface (CLI) access to a bash shell inside a running container as the student user, through the web browser.


Challenge Statement

In this lab, you need to abuse the CAP_SYS_PTRACE to get root on the box! A flag is kept in root’s home directory.

Objective: Escalate to the root user and retrieve the flag!


Solution

Step 1: Find all binaries which have capabilities set for them.

Command: getcap -r / 2>/dev/null

0*XeJyWjBMPQLWAV6J?q=20
0*XeJyWjBMPQLWAV6J
Finding files with capabilities

The CAP_SYS_PTRACE capability is present in the permitted set of /usr/bin/python2.7 binary. As a result, the current user can attach to other processes and trace their system calls.

1*MsIR0ALS8xPACZsEH0G9YA.png?q=20
1*MsIR0ALS8xPACZsEH0G9YA.png

Step 2: Check the services running on the machine.

Command: ps -eaf

0*xC0jcgasd2HuiMTB?q=20
0*xC0jcgasd2HuiMTB
Process Listing (Part I)
0*bowOxWzmamPz2EAy?q=20
0*bowOxWzmamPz2EAy
Process Listing (Part II)

Nginx is running on the machine. The Nginx’s master process is running as root and has pid 236.

Step 3: Check the architecture of the machine.

Command: uname -m

0*KQjcndzu6OhfBnHx?q=20
0*KQjcndzu6OhfBnHx
Checking system architecture

The machine is running 64-bit Linux.

1*MsIR0ALS8xPACZsEH0G9YA.png?q=20
1*MsIR0ALS8xPACZsEH0G9YA.png

Step 4: Search for publicly available TCP BIND shell shellcodes.

Search on Google “Linux x64 Bind shell shellcode exploit db”.

0*vrch1DJwBXceXcYT?q=20
0*vrch1DJwBXceXcYT
Searching for shellcode

The second Exploit DB link contains a BIND shell shellcode of 87 bytes.

Exploit DB Link: https://www.exploit-db.com/exploits/41128

0*C44717h8MEQFnhmQ?q=20
0*C44717h8MEQFnhmQ
The shellcode

The above shellcode will trigger a BIND TCP Shell on port 5600.

1*MsIR0ALS8xPACZsEH0G9YA.png?q=20
1*MsIR0ALS8xPACZsEH0G9YA.png

Step 5: Write a python script to inject the BIND TCP shellcode into the running process.

The C program provided at the GitHub Link given below can be used as a reference for writing the python script.

GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c

Python script:

Save the above program as “inject.py”

Step 6: Run the python script with the PID of the Nginx master process passed as an argument.

Command: python inject.py 236

0*x5B1HVpXiX1CFNb9?q=20
0*x5B1HVpXiX1CFNb9
Shellcode injection

If the shellcode was injected successfully, a TCP BIND shell should be running on port 5600.

1*MsIR0ALS8xPACZsEH0G9YA.png?q=20
1*MsIR0ALS8xPACZsEH0G9YA.png

Step 7: Check the TCP listen ports on the machine.

Command: netstat -tnlp

0*fb1jyKWm6QCbgGmO?q=20
0*fb1jyKWm6QCbgGmO

A process is listening on port 5600.

Step 8: Connect to the BIND shell with netcat.

Command: nc 127.0.0.1 5600

Check the current user.

Command: id

0*AnqLd-L3SRMZE58D?q=20
0*AnqLd-L3SRMZE58D
Connecting to port 5600

Step 9: Search for the flag file.

Command: find / -name flag 2>/dev/null

0*D02kHyxb2M0CwoIk?q=20
0*D02kHyxb2M0CwoIk
Searching for flag

Step 10: Retrieve the flag from the file flag.

Command: cat /root/flag

0*O1dclmG-8ZtCzIwL?q=20
0*O1dclmG-8ZtCzIwL
Retrieving the flag

Flag: 9260b41eaece663c4d9ad5e95e94c260

1*MsIR0ALS8xPACZsEH0G9YA.png?q=20
1*MsIR0ALS8xPACZsEH0G9YA.png

References:

  1. Capabilities
  2. ptrace
  3. ptrace.h
  4. user.h
  5. ctypes
  6. Linux/x64 — Bind (5600/TCP) Shell Shellcode
  7. Mem Inject

 

Sursa: https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...