This is toc2 from THM. It’s medium rated. I mostly want to talk about the privesc, because I hadn’t seen it before.
Foothold
Just a quick note on this; we were given some database credentials and allowed to install a CMS. This was a nice original touch which I appreciated.
Privesc
The privesc uses a race condition vulnerability. We are provided a binary and the source code for it, plus a file only readable by root containing the credentials for the root user. Here’s the source:
The binary has the SUID bit. The usage is:
So the argv[1] variable contains (intially at least) the root_password_backup file and the race condition arises because the variable is used twice: firstly by the access function on line 17, and then again by open on line 19. This gives us a small window to swap the value of the file between the first and second call.
The exploit code we use is:
This comes from here. Ignore the lograte name in the path of the linked repo; that is similar but not the same as this. All this code does is run the renameat2 system call in a while loop, replacing the contents of file A with file B.
I compiled the exploit code on the box into a binary I called racer.
I created an empty file called ‘a’, and a symlink to the root_password_backup called hax. Then I called the binary:
Separately:
This was pretty cool. Similar technique discussed here and here.