Then open crontab to view if any job is scheduled. Suppose I successfully login into the victim’s machine through ssh and access the non-root user terminal. Start your attacking machine and first compromise the target system and then move to the privilege escalation stage. Let’s verify the schedule is working or not by executing the following command. */1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/* Now schedule a task with help of crontab to run tar archival program for taking backup of /html from inside /var/backups in every 1 minute. For example, make a new directory and give ALL permission to it and then create some files. And with help of it, we are going to take a compress backup of any directory. Tar is a very common UNIX program for creating and extracting archives. Likewise again we extend the wildness of wildcard character to the ultimate level and it was like a dynamic explosion in terms of system hacking. Thing is that the wildcard character used in ‘chown’ command line took the subjective ‘–reference=.my.php’ file and passed it to the chown command at the command line as an option. Then root user takes the help of the wildcard character for changing ownership. In our case user: ignite executed the following commands: echo "" > my.php –reference=RFILE (use RFILE’s owner and group rather than specifying OWNER: GROUP values) If you have ever explored tar to read its optional switches then you will find the following option. ls -alĪs you can notice, mostly file is owned by user: raj and the last two files are owned by user: ignite and when the super-user will be supposed to change ownership of all file having PHP extension with help of wildcard, then all files will indirectly come under the ownership of user: ignite.Īs you can observe when root user run chown command to give ownership to all the PHP files to the user: aarti, an error occurred and as result, the all PHP file get seized by user: ignite automatically. Now when the user: ignite found all PHP file is own be user raj then he induces two PHP file himself in the same directory and uses file reference trick for file owner hijacking by executing below commands. In the following image, you can observe all the PHP file is owned by user: raj. Mischief-user ( Ignite) – perform a notorious task such as the Chown file reference trick that can lead to file owner hijacking. Non-root-user2 ( aarti) – perform ordinary jobs such as create file Non-root-user1 ( raj) – perform ordinary jobs such as create file Super-user ( root) – perform an admin-level task such as run chown command. Let say we have three users in our system. As we know it is an abbreviation of change owner, which is used on Unix-like systems to modify the ownership of file system files, directories and it may only be changed by a super-user. Similarly again we try to do something roguish with help of chown command. Instead of showing “take help” while opening –help file it calls its own –help options from its own libraries & such type of trick is called Wildcard wildness. But the cat command failed to read information written inside –help file. However, the first two files opened normally and show the same information as written above. So as you can observe, here we have made a new directory “wild” on the desktop then with help of the echo command we have created 3 files and written 1 line in each file.Īfterwards, with help of the cat command, we try to open all the above 3 files as shown: cat file1 cd /DesktopĮcho "This is Wildcard Injection" > file2 You might be aware of wildcard symbol and their traditional usage but here we are presenting wildcard wildness and for this, I would like to draw your attention to the below steps. Append another user’s login name to the character, it refers to that user’s home directory. ~ A tilde at the beginning of a word expands to the name of your home directory. – A hyphen used within denotes a range of characters. Brackets enclose a set of characters, any one of which may match a single character at that position. ? The question mark matches any single character. * An asterisk matches any number of character in a filename, including none. Wildcards are interpreted by the shell before any other action is taken. The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Here you will get surprised after perceiving some UNIX tools like ‘tar’ or ‘chown’ can lead to full system compromise. In this article, we will cover “Wildcard Injection” an interesting old-school UNIX hacking technique, which is still a successful approach for Post exploitation and even many security-related folks haven’t heard of it.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |