SUID bit Privilege Escalation Challenge

25 Jul, 2023

This is really interesting one.

We have to work with symlinks here. The command to create a symlink:
ln -s <path> <symlink_name>

Using this command I got a suspicious file.
find / -perm -u=s -type f 2>/dev/null
/usr/local/bin/backup This is not an ordinary file. In the folder of this file a found its cpp script.
While reading this script we can find that the file takes a user and creates its backup. There was string like this: Copydir("/home/" + user, "/backups/" + user") We can specify the user in the args of the program like this:
backup <user>.

Obviously, we can put any payload in the user argument. And what we want to do is to add new root user to the /etc/passwd by overwriting it.

I created the next scheme for better understanding.

And one more:

now we have create a simple folder in the student's directory and the name is going to be blalink and make a backup.
mkdir blalink
/usr/local/bin/backup student

Now we have to delete the folder that we just created and make the symlink using the scheme that I attached above with the same name.

Don't forget to copy the passwd file and modify it.

Now, let's to the backup again.
backup student/bla_link/../../../etc

and here we go.