Everything Is Just Dandy!

HackTheBox – Scanned – Escaping and Exploiting Chroot Based Jails via Unprotected File Descriptor

IppSec
IppSec
2022-09-10
https://www.youtube.com/watch?v=FoQuNsCyQz0
00:00 – Intro
01:00 – Start of nmap
02:00 – Using MSFVenom to upload a reverse shell to identify what the malware sandbox looks like
04:25 – Examining the source code of the sandbox
12:00 – Creating a program in C to see the size of an unsigned long
13:40 – Creating a program to replace the output of the trace program and exfil data via the return register on the webapp
20:50 – Creating a python program to automate uploading the file and returning the output
27:05 – Creating a program in C to perform ls, so we can enumerate the jail
34:00 – Changing our ls to enumerate /proc
36:25 – Adding a readlink() call to our ls program so we can view symlinks
41:00 – Discovering an open file descriptor in PID 1, using this to escape the jail and read /etc/passwd
44:40 – Dumping the Django Database
46:00 – Using hashcat to crack a custom salted MD5 hash/password
51:00 – Examining how the sandbox is created on the box itself, explaining how we can abuse setuid binaries because we can write to /lib (path injection)
53:20 – Using ldd to view all the libraries su needs, copying them to a directory
55:40 – Creating a malicious linux library with a constructor to execute code when it is loaded
59:18 – Changing our readfile poc to execute su and read the output, discovering we need to modify our malicious library slightly
1:02:10 – Adding a misc_conv function so our library loads and getting code execution as root