Monday, August 13, 2018

Sudo Date...Thanks For Read Access To Every Non-Binary File

Recently, I was testing an open source web application and stumbled on a command injection as the www-data user (hopefully another blog post soon, once the vulnerability has been patched).  To have a better idea of what I'm talking about, I created a demo web application with a similar vulnerability.


The payload in vulnparam is "id) && (echo" where id is the command output displayed to the screen and the echo part was to essentially eliminate the rest of the command that the web application intended to run but the actual command injection is outside the scope of this post.  Injecting id confirms I'm running as www-data.  While enumerating the system for privilege escalation I decided to run "sudo -l" to list the commands www-data was allowed to sudo and discovered something interesting.


Date seemed like something worth exploring.  The man pages instantly revealed something promising.


What happens if I set the file parameter to something that doesn't contain dates?  Well, nothing at first because the output goes to standard error, haha.  But, once I realized that and directed standard error to standard output with the following payload "sudo date -f /etc/shadow 2>&1) && (echo", I hit pay dirt!


Since this was a web application on an Internet of Things (IoT) device, reading /etc/wpa_supplicant/wpa_supplicant.conf for the cleartext WiFi password would be beneficial.  If you had root privileges on date on a more traditional engagement, you could use it for acquiring hashes or to read SSH private keys.

I thought this was an interesting step towards privilege escalation and worth sharing.  At the very least, it might be useful for a CTF...

Go forth and reign shells!

Posted by at
Labels: , , , ,

5 comments:

  1. RyanANicholsonAugust 14, 2018 at 5:21 AM

    Good to know! I'll add this to the list!

    ReplyDelete
  2. Alex CharlesJune 24, 2019 at 1:25 AM

    The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. recover lost bitcoins

    ReplyDelete
  3. albina N muroJuly 10, 2020 at 2:34 AM

    Thank you for some other informative website. The place else may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info. instagram likes gradual

    ReplyDelete
  4. jamesDecember 9, 2020 at 6:34 AM

    I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Best Forex Signal Service

    ReplyDelete
  5. UnknownDecember 28, 2020 at 6:01 AM

    I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... pocket Option Forex

    ReplyDelete

Subscribe to: Post Comments (Atom)
Copyright © 2015 Reigning Shells