mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 12:03:03 +00:00
d00047f340
Spelling correction
83 lines
2.9 KiB
Markdown
83 lines
2.9 KiB
Markdown
# echoCTF - pathfinder
|
|
This is an OS category challenge in which we are provided an IP address and a port to connect using `nc`
|
|
|
|
We can get the first flag by connecting with netcat and printing the evnironmental variables with `env`
|
|
|
|
<img src="https://i.imgur.com/iBZ0c0T.png"/>
|
|
|
|
## Privilege Escalation (curiosity)
|
|
On runnning `sudo -l` we can see that opportunity user can run `ls` binary as `curiosity`
|
|
|
|
<img src="https://i.imgur.com/3AAl8Bd.png"/>
|
|
|
|
<img src="https://i.imgur.com/gyyBC3n.png"/>
|
|
|
|
Using this flag we can switch to curiosity user
|
|
|
|
## Privilege Escalation (insight)
|
|
|
|
Running `sudo -l` to see what we can run as other user , it seems that there's a custom binary named `insight`
|
|
|
|
<img src="https://i.imgur.com/CiDsC1s.png"/>
|
|
|
|
On running this binary , it will print this message
|
|
|
|
<img src="https://i.imgur.com/scL7NIW.png"/>
|
|
|
|
Let's transfer this binary on to our host machine so that we can analyze what's going on in this binary
|
|
|
|
<img src="https://i.imgur.com/at9i510.png"/>
|
|
|
|
I used `ghidra` to analyze the binary , looking at the `main` function it's just setting the uid,gid and eid to 1005 (pathfinder user's id) and just printing a string
|
|
|
|
<img src="https://i.imgur.com/Cwld3CE.png"/>
|
|
|
|
But we can see here that a shared library is being used , shared library is loaded by the program when it starts
|
|
|
|
<img src="https://i.imgur.com/cERe1ED.png"/>
|
|
|
|
By following this article https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/ , I used the same c langugage code , changed the root's id to insight's id which was 1004
|
|
|
|
```c
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <stdlib.h>
|
|
void _init() {
|
|
unsetenv("LD_PRELOAD");
|
|
setgid(1004);
|
|
setuid(1004);
|
|
system("/bin/sh");
|
|
}
|
|
```
|
|
|
|
Now to compile this
|
|
|
|
<img src="https://i.imgur.com/dsCOTSI.png"/>
|
|
|
|
Host the shared object file and transfer it to the target machine
|
|
|
|
<img src="https://i.imgur.com/wNjeIUx.png"/>
|
|
|
|
<img src="https://i.imgur.com/FsKgQe4.png"/>
|
|
|
|
|
|
## Privilege Escalation (pathfinder)
|
|
|
|
Running `sudo -l` again , we can see this user can run `pathfinder` binary , another custom binary
|
|
|
|
<img src="https://i.imgur.com/4GRQYzf.png"/>
|
|
|
|
on running this in a directory where we don't have permissions to read file , it will give us an error that `ls` cannot open directory , which means that ls binary is being used here and it's possible that it isn't using it's absolute path i.e `/bin/ls` , here comes PATH variable exploit in which we create a fake `ls` binary which will invoke `bash` and for that we will need to add the path for our fake binary
|
|
|
|
<img src="https://i.imgur.com/DZXyd8y.png"/>
|
|
|
|
## Privilege Escalation (ETSCTF)
|
|
Doing `sudo -l` with this user will show us that we can run `/usr/bin/env` which is used to print environmental variables as `ETSCTF` user
|
|
|
|
<img src="https://i.imgur.com/eQ0OcLx.png"/>
|
|
|
|
Let's just visit GTFOBINS for this binary
|
|
|
|
<img src="https://i.imgur.com/9XJfbN8.png"/>
|
|
|
|
<img src="https://i.imgur.com/GGe94q0.png"/>
|