CTF assistance on linux privilege escape [closed]
I’m stuck on a CTF exercise that has been quite difficult to get a grasp of. I have access to a server as a user. On this server, there's only root other than me. I am supposed to access a file in root where I have no permissions or read the text by manipulating certain other things. Everything SHOULD be able to be done on the server. NO kernel exploits, no cronjobs, no outside scripts/tools but maybe a script in one of my files? No logging in and out; just a few commands.
I have only got sudo privilege to execute on one python file in /tmp/file.py
: aka sudo /tmp/file.py
is the only way I can get elevated permission. That py file has the function to cat /tmp/file2
which then displays the content of file2. I only have rx on the py file, and no rights on the file2.
Step 4 of the CTF exercises was easy because I had vim and rwx on that same file. I'm expecting that I still need to somehow use sudo /tmp/file.py
But I can't seem to get it to work. I've explored all suid setuid and the likes, but none of them are handy (steps 2/3 used these).
I can write and create files on /tmp
and in my home/user folder and make them executable. I can also change $PATH
it seems and append to the .bashrc
even though I only have read access on that file. But I still can't get my head around how to "DIVERT" tmp/file from tmp/file2 to one of my own cat /root/filewithinfo
.
Any suggestions?
I can't do anything with sudo
except sudo /tmp/file.py
.
Some tests that I've done:
mkdir -p /home/user/bin
touch /home/user/bin/sudo
chmod +x /home/user/bin/sudo
But I can't escalate due to no sudo permission on user/bin
, etc.
I appended a bin/bash
to .bashrc
user@server:~$ source /home/user/.bashrc
Sorry, user user is not allowed to execute ‘/bin/bash’ as root on server.
This doesn't work, either:
echo “sudo /bin/bash” >> /home/user/.bashrc
I am open to suggestions.
Symbolic links are not possible due to the file2 existing and I can't remove it.
Fells like I should grep or pipe in another command somehow through sudo /tmp/file.py
to get this solved.