Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question on SFTP Without Execution #7

Open
Himself132 opened this issue Aug 11, 2019 · 1 comment
Open

Question on SFTP Without Execution #7

Himself132 opened this issue Aug 11, 2019 · 1 comment

Comments

@Himself132
Copy link

What would the attack profile with chw00t be on a system like this?

override default of no subsystems

Subsystem sftp /usr/lib/openssh/sftp-server

Match User companyname
ForceCommand internal-sftp
ChrootDirectory /opt/sftp/companyname
PermitTunnel no

Where /root is not world writeable? drwx------ 4 root root 4096 Jul 15 21:58 root

I can upload the file and create directories and use chown but ./chw00t is not a command it can run.

@earthquake
Copy link
Owner

First of all, chw00t is just a compilation of different technique to break out of certain chrooted environment. In case you cannot execute the binary, you cannot use it of course.
It seems to me that you cannot change the configuration neither, none of the known techniques will help you break out unfortunately.
In case you could change the config or you have a different user that is chrooted into a directory under this path: /opt/sftp/companyname, you could use the two users combined to break out with the Move-out-of-chroot technique (-5).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants