VulnHub CyberSploit 1 Write-up

Can you break the glass?

Abstract

Enumeration

Exploitation

Escalation

An overlay filesystem combines two filesystems - an 'upper' filesystem
and a 'lower' filesystem. When a name exists in both filesystems, the
object in the 'upper' filesystem is visible while the object in the
'lower' filesystem is either hidden or, in the case of directories,
merged with the 'upper' object.

It would be more correct to refer to an upper and lower 'directory
tree' rather than 'filesystem' as it is quite possible for both
directory trees to be in the same filesystem and there is no
requirement that the root of a filesystem be given for either upper or
lower.

The lower filesystem can be any filesystem supported by Linux and does
not need to be writable. The lower filesystem can even be another
overlayfs. The upper filesystem will normally be writable and if it
is it must support the creation of trusted.* extended attributes, and
must provide valid d_type in readdir responses, so NFS is not suitable.

A read-only overlay of two read-only filesystems may use any
filesystem type.
  • New mount and user namespaces are created for the process.
  • That process then mounts an overlayfs atop /bin using temporary directories for the overlayfs “upperdir” and “workdir” directories. A writable overlayfs must have both of these directories; upperdir holds the files/directories that have been changed, while workdir is used as a work space to enable atomic overlayfs operations.
  • The process inside the namespaces changes its working directory to the overlayfs, thus making it visible outside of the namespaces by way of /proc/PID/cwd.
  • The process changes the su binary (in /bin) to be world-writable, but does not change the owner. That results in a new file being created in the upper overlay directory.
  • A process outside of the namespaces writes anything it wants to that file without changing the setuid bit (more on that coming).
  • The outer process then runs that su with root privileges.
1337root

Conclusion

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

3 Types Of Protection You Want While Shopping Online

Security Correlation Then and Now: A Sad Truth About SIEM

Identity Verification and the SSN: Is There a Future?

Bigger market share, bigger risks for payment card industry

Another Critical COVID-19 Shortage: Digital Security

🕵🏻‍♂️ New Airdrop: AME Chain

Methods Of Mining Litecoin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anirban Chakraborty

Anirban Chakraborty

More from Medium

Pwning binaries and defeating modern mitigations using rop and ret2libc (foobar 2022 pwn writeup)

Eternal Blue — Lab and Process Report

Server-Side Request Forgery (SSRF)- PortSwigger Labs

How Often Should You Pentest? — Cyver