• caglararli@hotmail.com
  • 05386281520

CTF assistance on linux privilege escape [closed]

Çağlar Arlı      -    61 Views
13Nis

CTF assistance on linux privilege escape [closed]

I’m stuck on a CTF exercise that has been quite difficult to get a grasp of. I have access to a server as a user. On this server, there's only root other than me. I am supposed to access a file in root where I have no permissions or read the text by manipulating certain other things. Everything SHOULD be able to be done on the server. NO kernel exploits, no cronjobs, no outside scripts/tools but maybe a script in one of my files? No logging in and out; just a few commands.

I have only got sudo privilege to execute on one python file in /tmp/file.py: aka sudo /tmp/file.py is the only way I can get elevated permission. That py file has the function to cat /tmp/file2 which then displays the content of file2. I only have rx on the py file, and no rights on the file2.

Step 4 of the CTF exercises was easy because I had vim and rwx on that same file. I'm expecting that I still need to somehow use sudo /tmp/file.py But I can't seem to get it to work. I've explored all suid setuid and the likes, but none of them are handy (steps 2/3 used these).

I can write and create files on /tmp and in my home/user folder and make them executable. I can also change $PATH it seems and append to the .bashrc even though I only have read access on that file. But I still can't get my head around how to "DIVERT" tmp/file from tmp/file2 to one of my own cat /root/filewithinfo.

Any suggestions?

I can't do anything with sudo except sudo /tmp/file.py.

Some tests that I've done:

  • mkdir -p /home/user/bin
  • touch /home/user/bin/sudo
  • chmod +x /home/user/bin/sudo

But I can't escalate due to no sudo permission on user/bin, etc.

I appended a bin/bash to .bashrc

user@server:~$ source /home/user/.bashrc 
Sorry, user user is not allowed to execute ‘/bin/bash’ as root on server.

This doesn't work, either:

echo “sudo /bin/bash” >> /home/user/.bashrc

I am open to suggestions.

Symbolic links are not possible due to the file2 existing and I can't remove it.

Fells like I should grep or pipe in another command somehow through sudo /tmp/file.py to get this solved.

Son Yazılar

Son Yorumlar