Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2025-02-16 12:08:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/echoCTF/pathfinder.md
Najam Ul Saqib d00047f340
Update pathfinder.md 
Spelling correction
2021-12-04 19:45:10 +05:00

2.9 KiB
Raw Blame History

echoCTF - pathfinder

This is an OS category challenge in which we are provided an IP address and a port to connect using nc

We can get the first flag by connecting with netcat and printing the evnironmental variables with env

Privilege Escalation (curiosity)

On runnning sudo -l we can see that opportunity user can run ls binary as curiosity

Using this flag we can switch to curiosity user

Privilege Escalation (insight)

Running sudo -l to see what we can run as other user , it seems that there's a custom binary named insight

On running this binary , it will print this message

Let's transfer this binary on to our host machine so that we can analyze what's going on in this binary

I used ghidra to analyze the binary , looking at the main function it's just setting the uid,gid and eid to 1005 (pathfinder user's id) and just printing a string

But we can see here that a shared library is being used , shared library is loaded by the program when it starts

By following this article https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/ , I used the same c langugage code , changed the root's id to insight's id which was 1004

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(1004);
setuid(1004);
system("/bin/sh");
}

Now to compile this

Host the shared object file and transfer it to the target machine

Privilege Escalation (pathfinder)

Running sudo -l again , we can see this user can run pathfinder binary , another custom binary

on running this in a directory where we don't have permissions to read file , it will give us an error that ls cannot open directory , which means that ls binary is being used here and it's possible that it isn't using it's absolute path i.e /bin/ls , here comes PATH variable exploit in which we create a fake ls binary which will invoke bash and for that we will need to add the path for our fake binary

Privilege Escalation (ETSCTF)

Doing sudo -l with this user will show us that we can run /usr/bin/env which is used to print environmental variables as ETSCTF user

Let's just visit GTFOBINS for this binary