Monday, August 13, 2018

Sudo Date...Thanks For Read Access To Every Non-Binary File

Recently, I was testing an open source web application and stumbled on a command injection as the www-data user (hopefully another blog post soon, once the vulnerability has been patched).  To have a better idea of what I'm talking about, I created a demo web application with a similar vulnerability.


The payload in vulnparam is "id) && (echo" where id is the command output displayed to the screen and the echo part was to essentially eliminate the rest of the command that the web application intended to run but the actual command injection is outside the scope of this post.  Injecting id confirms I'm running as www-data.  While enumerating the system for privilege escalation I decided to run "sudo -l" to list the commands www-data was allowed to sudo and discovered something interesting.


Date seemed like something worth exploring.  The man pages instantly revealed something promising.


What happens if I set the file parameter to something that doesn't contain dates?  Well, nothing at first because the output goes to standard error, haha.  But, once I realized that and directed standard error to standard output with the following payload "sudo date -f /etc/shadow 2>&1) && (echo", I hit pay dirt!


Since this was a web application on an Internet of Things (IoT) device, reading /etc/wpa_supplicant/wpa_supplicant.conf for the cleartext WiFi password would be beneficial.  If you had root privileges on date on a more traditional engagement, you could use it for acquiring hashes or to read SSH private keys.

I thought this was an interesting step towards privilege escalation and worth sharing.  At the very least, it might be useful for a CTF...

Go forth and reign shells!

18 comments:

  1. Good to know! I'll add this to the list!

    ReplyDelete
  2. The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. recover lost bitcoins

    ReplyDelete
  3. Thank you for some other informative website. The place else may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info. instagram likes gradual

    ReplyDelete
  4. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Best Forex Signal Service

    ReplyDelete
  5. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... pocket Option Forex

    ReplyDelete
  6. I really like you words and appreciate your article post. Really Cool please keep writing.
    hitachi 1.5 ton 3 star split inverter ac

    ReplyDelete
  7. I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. Social Trading with Binary options

    ReplyDelete
  8. I know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information. Best Binary Options Strategy Download

    ReplyDelete
  9. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. Quotex Binary Options Broker

    ReplyDelete
  10. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Best Trading Signals for Free

    ReplyDelete
  11. Useful information ..I am very happy to read this article. .thanks for giving us this useful information. Fantastic walk-through. I appreciate this post. Ea builder discount

    ReplyDelete
  12. Blogs on technology helps you stay updated in terms of the latest technology news, launch of gadgets, and many more. Subscribe to technology blogs and use information for your personal or professional use. http://access-control-singapore.jigsy.com/

    ReplyDelete
  13. Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. access control system singapore

    ReplyDelete
  14. Casino Junket (2021) - DrmCD
    Find and compare the 나주 출장안마 Casino 부천 출장마사지 Junket (2021) reviews and ratings to see it. The casino 목포 출장마사지 is owned by the same owners 포천 출장샵 as the casino's 속초 출장샵 other online

    ReplyDelete
  15. Casino no deposit bonus - DrmCD
    Free No Deposit Bonus · Casino no deposit bonus code 공주 출장마사지 · 경상남도 출장마사지 Deposit 보령 출장안마 bonus code. · New Casino no deposit bonus · 진주 출장샵 Deposit casino bonus code. · Deposit bonus code. 창원 출장샵

    ReplyDelete
  16. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... binary trading

    ReplyDelete
  17. Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. best options signals

    ReplyDelete
  18. Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. biometric access control system

    ReplyDelete

Copyright © 2015 Reigning Shells