-
Notifications
You must be signed in to change notification settings - Fork 0
/
VMsetup.txt
137 lines (113 loc) · 5.04 KB
/
VMsetup.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
Sections:
Building Pure-ftpd
Setting up Chroot Jailed Accounts
Config and Running Pure-ftpd
Pwning Process
Ubuntu 22.04.5 LTS
sudo apt update
sudo apt upgrade
sudo apt install gcc make
=================================================================================
=================================================================================
Download, Patch, Configure and make Pure-ftpd
=================================================================================
=================================================================================\
wget https://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.50.tar.gz
tar -xzf pure-ftpd-1.0.50.tar.gz
cd pure-ftpd-1.0.50
# patching src code for reduced reply buffer size
sed -i '305s/.*/static char replybuf[55U];/' src/ftpd.c
sed -i '4865s/.*/\tint display_banner = 0;/' src/ftpd.c
./configure --with-puredb --with-virtualchroot
sudo make install
cd ..
=================================================================================
=================================================================================
Create Two Chroot Jailed Account That Can't Go Ouside of /home/<user> for demo purposes
I did this cuz i can't figure out how to throw the symlink onto the server using ftp only
without ssh, also it seems like the symlink exploit only works on folders with read access.
This is basically strong arming a kinda possible scenario where ssh is present but listing
directory on upper levels isn't possible.
=================================================================================
=================================================================================
sudo su
groupadd chroot
# add user Note: shell exists for ssh and writing the symlink
useradd -m -d /home/bob -g chroot -s /bin/bash bob
useradd -m -d /home/eve -g chroot -s /bin/bash eve
# add password
passwd bob
passwd eve
# chroot jail ssh setup https://www.tecmint.com/restrict-ssh-user-to-directory-using-bobed-jail/
sudo su
mkdir -p /home/bob/dev/
cd /home/bob/dev/
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8
# Copy utilities
mkdir -p /home/bob/bin
cp -v /bin/{bash,ls,ln,rm,mkdir} /home/bob/bin/
# Copy utility dependencies
mkdir -p /home/bob/lib
mkdir -p /home/bob/lib64
cp -v /lib/x86_64-linux-gnu/{libc.so.6,libtinfo.so.6,libpcre2-8.so.0,libselinux.so.1} /home/bob/lib
cp -v /lib64/ld-linux-x86-64.so.2 /home/bob/lib64
# Copy password
mkdir /home/bob/etc
cp -vf /etc/{passwd,group} /home/bob/etc/
rsync -av --exclude '.*' /home/bob/ /home/eve/
# Access Control
chown root:root /home/bob
chown root:root /home/eve
mkdir /home/bob/home
mkdir /home/eve/home
chown bob:chroot /home/bob/home
chown eve:chroot /home/eve/home
chmod 0755 -R /home/bob
chmod 0755 -R /home/eve
# ssh Chroot setup
echo 'Match Group chroot' >> /etc/ssh/sshd_config
echo 'ChrootDirectory %h' >> /etc/ssh/sshd_config
systemctl restart sshd
=================================================================================
=================================================================================
Pure-ftpd config
=================================================================================
=================================================================================
# add pure-ftpd user
# Note: ftp chroot is different from system chroot since we need to create symlink at the ftp
# chroot dir but system chroot is required to be 0755 (drwxr_xr_x) for ssh to work somehow
pure-pw useradd bob -u bob -d /home/bob/home
pure-pw useradd eve -u eve -d /home/eve/home
pure-pw mkdb
# run pure-ftpd
# -A: chroot non-root users
# -E: prohibit anonymous login
# -j: auto create user home dir
# -l: login db file
sudo /usr/local/sbin/pure-ftpd -A -E -j -l puredb:/etc/pureftpd.pdb
NOTE: If the above command does not work with the exploit try using the following command instead:
sudo /usr/local/sbin/pure-ftpd -A -j -l puredb:/etc/pureftpd.pdb -E -u 1000 -d --verboselog
=================================================================================
=================================================================================
Pwning Process
=================================================================================
=================================================================================
For demo maybe ssh into the server to show how restrictive it is, since
most files are owned by root and we cannot see upper levels of directories or other
users' directories.
Now on another machine run pure.py, which will print out the dir on the server that
you are trying to peek into.
python3 pure.py <server ip> 21 <username> <password> <attack dir>
Server File Structure:
-root
--home
---root account
---bob system chroot
----bob pure-ftpd chroot
---eve system chroot
----eve pure-ftpd chroot
Normally bob and eve can only view folders under system chroot and create file in
pure-ftpd chroot. With the CVE bob and eve can peek whereever. (with read access :( )