Return to forum

nobushk · May 3, 2022 at 10:05 PM

(May 3, 2022, 06:10 PM)just4htb1337 Wrote: dev runs "/usr/bin/webbackup" which takes a backup of the web directory and saves the zip file in "/var/www/" folder ... create a symlink of dev's ssh key in "/var/www/html" folder , copy the new zip file to /dev/shm and unzip it. you will find dev's ssh key in "/var/www/html/"

Hope this helped :)

that was just damm easy ... why not see it berore :(

ra1n7ok · May 5, 2022 at 10:59 AM

(April 4, 2022, 03:32 PM)Internetdreams Wrote: it's a buffer overflow then for root you just have to exploit binfmt_misc

Hi, I tried the binfmt_misc exploit but /proc/sys/fs/binfmt_misc/register is not writable so I did not succeed. Would you have another hint for root? Thanks

Tonnyneghton · May 5, 2022 at 9:54 PM

thanks

pL4sTiC · May 7, 2022 at 10:21 PM

(April 4, 2022, 03:32 PM)Internetdreams Wrote: it's a buffer overflow then for root you just have to exploit binfmt_misc

can someone please explain how the priv esc using binfmt_misc works? or is this not the path to root?

just4htb1337 · May 8, 2022 at 12:52 PM

There is an exploit on github - https://github.com/toffan/binfmt_misc... just modify it as below:

- Disable the not_writable function since register is not writable
- echo "$binfmt_line" into a temp file i.e /tmp/temp.txt
- then cat the file into reg_helper i.e cat /tmp/tmep.txt | /usr/lib/emuemu/reg_helper

Thats it..

Xqx · May 8, 2022 at 3:38 PM

[quote="skyweasel" pid="14483" dateline="1648958696"]Possibly some form of file upload and file write to disk via beta.html + activate_licence.php . Then try have the index.php execute it via PHP readpage?or SSRF to the internal service runnong on 127.0.0.1 1337 perhaps?[hr]index.php[code][/code]beta.html - form submission[code][/code]activate_license.php[code]--------------------------------------------------------------------------------------------------------------how did you get the beta.html i user ffuf but i got only Size: 0[/code][/quote]

pL4sTiC · May 11, 2022 at 1:29 AM

(May 8, 2022, 12:52 PM)just4htb1337 Wrote: There is an exploit on github - https://github.com/toffan/binfmt_misc... just modify it as below:

- Disable the not_writable function since register is not writable
- echo "$binfmt_line" into a temp file i.e /tmp/temp.txt
- then cat the file into reg_helper i.e cat /tmp/tmep.txt | /usr/lib/emuemu/reg_helper

Thats it..

Right on... thank you!

mantzini · June 2, 2022 at 11:08 AM

(May 8, 2022, 12:52 PM)just4htb1337 Wrote: There is an exploit on github - https://github.com/toffan/binfmt_misc... just modify it as below:

- Disable the not_writable function since register is not writable
- echo "$binfmt_line" into a temp file i.e /tmp/temp.txt
- then cat the file into reg_helper i.e cat /tmp/tmep.txt | /usr/lib/emuemu/reg_helper

Thats it..

Hello, could you maybe elaborate on the exploit methodology? I have the exploit binary on the box, how do i disable the not_writeable? And how is the actual exploit binary used?

Many thanks!

breaksurter · June 4, 2022 at 1:34 AM

What is better for studying this old machines?

OperationBlueSun · June 5, 2022 at 2:57 AM

The script is registering a new interpreter. If you ls /proc/sys/fs/binfmt_misc/ you will find EMUEMU is already there. The script creates a new randomly named interpreter handler for the target.

You can read up on the details at https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/

cat /proc/sys/fs/binfmt_misc/W0pM
enabled
interpreter /tmp/tmp.zIb2Vw60tL
flags: OC
offset 0
magic 7f454c4602010100000000000000000003003e000100000040450000000000004000000000000000a08100000000000000000000400038000b0040001d001c000600000004000000400000000000000040000000000000004000000000000000680200000000000068020000000000000800000000000000030000000400

The last line in the script should be something like:

binfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"
echo "$binfmt_line" > /tmp/temp.txt

cat /tmp/temp.txt | /usr/lib/emuemu/reg_helper

exec "$target"