VulnHub CyberSploit 1 Write-up

Can you break the glass?

Abstract

One thing which I did not like about the box is that it is too CTFy like. I actually hate boxes like these to be honest. What’s the point if you don’t learn anything? Well you do learn something here if you pay more attaention and play with it after completiting it though. It starts with website recon, I find a weird base64 encoded string in robots.txt directory. looking at the source of the home directory we also get a username. SSHing into the box using those credentials was successful. An Overlayfs exploit exists on the box due to the outdated kernel. We exploit that to get the root shell.

Enumeration

As always we start with the nmap scan:

Exploitation

Not really an exploitation but using the creds obtained earlier — itsskv::cybersploit{youtube.com/c/cybersploit} I ssh in successfully. Honestly did not expect it to be that easy.

Escalation

There are a couple of things to enumerate first before we go to some advanced or custom made technique. First thing I tried is, obviously to see what version of Linux Kernel its running by doing uname -a

An overlay filesystem combines two filesystems - an 'upper' filesystem
and a 'lower' filesystem. When a name exists in both filesystems, the
object in the 'upper' filesystem is visible while the object in the
'lower' filesystem is either hidden or, in the case of directories,
merged with the 'upper' object.

It would be more correct to refer to an upper and lower 'directory
tree' rather than 'filesystem' as it is quite possible for both
directory trees to be in the same filesystem and there is no
requirement that the root of a filesystem be given for either upper or
lower.

The lower filesystem can be any filesystem supported by Linux and does
not need to be writable. The lower filesystem can even be another
overlayfs. The upper filesystem will normally be writable and if it
is it must support the creation of trusted.* extended attributes, and
must provide valid d_type in readdir responses, so NFS is not suitable.

A read-only overlay of two read-only filesystems may use any
filesystem type.
  • New mount and user namespaces are created for the process.
  • That process then mounts an overlayfs atop /bin using temporary directories for the overlayfs “upperdir” and “workdir” directories. A writable overlayfs must have both of these directories; upperdir holds the files/directories that have been changed, while workdir is used as a work space to enable atomic overlayfs operations.
  • The process inside the namespaces changes its working directory to the overlayfs, thus making it visible outside of the namespaces by way of /proc/PID/cwd.
  • The process changes the su binary (in /bin) to be world-writable, but does not change the owner. That results in a new file being created in the upper overlay directory.
  • A process outside of the namespaces writes anything it wants to that file without changing the setuid bit (more on that coming).
  • The outer process then runs that su with root privileges.
1337root

Conclusion

Although box was of CTF type, I learnt something new about an exciting Kernel Exploit which is cool. I would like to write my own kernel exploit one day! Anyways, good warm up box, best for beginners.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store