I just wrote a program to easily launch program as other users without using sudo and all its painful configuration. Mind having a look? ssh sudo@sudo.ctf.insecurity-insa.fr -p 11111 (password: sudo)

By connecting to the machine we can notice that there is a flag with owner with uid 1000, but we are uid 1001 and we can’t cat it. There is a binary, sudo, that contains a whitelist of programs that we are allowed to launch with higher permissions (uid 1000). The whitelist is a list of sha256 hashes, and we can notice that they correspond to the hashes of the content of /bin/ls and /usr/bin/id.
$ sha256sum /bin/ls same_hash_contained_in_the_sudo_binary

In order to break this we could:

  • copy /bin/ls to /tmp/ls
  • start /tmp/ls with ./sudo
  • sudo will the hash of /tmp/ls to see if it is in the whitelist.
  • in the meanwhile we replace that binary with our binary that cats the flag.
  • if we are able to replace the binary after the read of its content by sudo, and before sudo performs the execve(), our binary will start with high permissions.

The problem is that $ cp /bin/ls /tmp/ls gives an error, we don’t have enough space on the disk

We can cheat in the following way $ ln -s /bin/ls /tmp/ls A symbolic link does not consume much space, so this command succeeds. ./sudo reads the file with fopen, and it should read the right content even behind a symlink, and compute the right hash, and start the program, but… $ ./sudo /tmp/ls does not start the program, for some reasons unknown to me.

So we can use a different strategy, instead of symlinking the binary directly, we can symlink a folder containing the binary: $ ln -s /bin/ /tmp/bin and prepare a different folder containing our crafted binary $ mkdir -p /tmp/newbin/bin $ echo base64_of_a_binary_that_reads_the_file_flag.txt |base64 -d > /tmp/newbin/bin/ls $ chmod +x /tmp/newbin/bin/ls Then we can start ./sudo in parallel with a program that overrides the symbolic link $ ./sudo /tmp/bin/ls & ln -s -f /tmp/newbin/bin /tmp/

In this way, sudo starts, it reads /tmp/bin/ls that is /bin/ls, then if we are lucky it gets interrupted before the execve(), the second part of the command starts (ln -s), that overrides /tmp/bin with /tmp/newbin, then sudo resumes and executes /tmp/bin/ls that is our crafted binary.
By repeating 2-3 times the last sequence of commands our crafted binary starts and we obtain the flag INSA{am_I_2_quick_4_U?}.