ASU CSE 466

Homework 1 is over! It was due at 12:00 MST on Wednesday 8/29/18.

This homework explores the impact of SUID misuse on the security of a system. Specifically, upon connecting, you can choose a single binary on the system to be set SUID, and you will then be provided a shell on a Linux environment. In this environment, there is a file /flag, containing the secret flag that you must read out. However, the file is only readable by root user! Using your single SUID binary, you must elevate your privileges enough to read out the flag.

A single SUID binary will net you a single flag. That is, specifying /bin/cat and using it to leak out the flag (as in the example below) will get you one point, and specifying /usr/bin/tail and using it to leak out the flag (as in another example below) will get you another. In a more complex case, specifying /bin/chmod (as in the example below) and then using that to change the permission of other programs and read out the flag that way will get you a flag for chmod regardless of what other permissions you change, since /bin/chmod was the specified command.

For this assignment, each flag will earn one point. After 70 points, you will be graded on a curve. Read the syllabus.html the full details of the grading system.

Accessing Homework 1

You can connect as such:

ssh hw1@cse466.pwn.college

You can also connect directly on port 23 if you don’t want to deal with SSH.

nc cse466.pwn.college 23

This makes it easier to script interaction with the homework. My recommendation is that you use pwntools if you want to do so. There is a short primer here and the full documentation here. This is an example script that will allow you to connect.

import pwn

homework_password = PUT_THE_HOMEWORK_PASSWORD_HERE
hacker_alias = YOUR_HACKER_ALIAS
asurite = YOUR_ASURITE

r = pwn.remote("cse466.pwn.college", "23")
r.sendline(homework_password)
r.sendline(hacker_alias)
r.sendline(asurite)

r.readuntil("Choice: ")
r.sendline("2")
r.readuntil("Binary: ")
r.sendline("/bin/cat")
r.sendline("cat /flag")
r.sendline("exit")
print "[*] Result:", r.readuntil("Flag: ")
r.sendline("PUT_FLAG_HERE")
r.sendline("3")

The password has been emailed to the class mailing list, and you can check it in the archives.

Solving Homework 1

Here is a sample interaction that successfully retrieves the flag by setting the SUID flag on /bin/cat (you may use this for one of your solutions!), thus allowing /bin/cat to run as root. cat is a program that concatenates files and prints them out to standard out (if this is confusing, you are behind. You need to read the resources linked below to get un-confused). Thus, retrieving the flag with it is quite simple:

myuser@mylaptop:~$ ssh hw1@cse466.pwn.college
hw1@cse466.pwn.college's password: 
[+++] Hacker Alias: ducky007
[+++] ASURITE: 123
[+++] 
[+++] 
[+++] 1. Show Scoreboard
[+++] 2. Solve HW1
[+++] 3. Quit
[+++] Choice: 2
[+++] Path to Binary: /bin/cat
hw1@b38bdd753b5b:~$ cat /flag
CSE466{747985b99bd25b8805ced639297720ae71e87a7acef580dc6b514143e5152133}
hw1@b38bdd753b5b:~$ exit
[+++] Flag: CSE466{747985b99bd25b8805ced639297720ae71e87a7acef580dc6b514143e5152133}
[+++] Correct Flag!

As you can see, this gives you the flag associated with /bin/cat. Let’s choose another program: say, /usr/bin/tail (you may use this for another solution!). tail is a program that prints out the last few lines of a file. Since the /flag file only has one line (the flag), this is perfect for us! Specifying /usr/bin/tail, you will receive another flag:

[+++] 1. Show Scoreboard
[+++] 2. Solve HW1
[+++] 3. Quit
[+++] Choice: 2
[+++] Path to Binary: /usr/bin/tail
hw1@b38bdd753b5b:~$ tail /flag
CSE466{7ca9d3c2fcbaa0c0cde22777bfefff2a5f5ac707f5194f91cd24226dbae0b74b}
hw1@b38bdd753b5b:~$ exit
[+++] Flag: CSE466{7ca9d3c2fcbaa0c0cde22777bfefff2a5f5ac707f5194f91cd24226dbae0b74b}
[+++] Correct Flag!

Note that this is a different flag from /bin/cat! Now, you have two points: one for cat and one for tail. Note that, while /bin/cat and /usr/bin/tail is easy, other programs are not so simple to read the flag with. No matter how convoluted retrieving the flag is with a given program, one unique SUID binary path will only ever yield one flag.

For a slightly more complex example, let’s look at /bin/chmod. chmod is a program that can change permissions of files. There are many ways to read the /flag file with chmod. We’ll cover a few here (feel free to use this for one of your solutions!).

First, we can simply change the permissions of the /flag file to allow us to read it:

[+++] Path to Binary: /bin/chmod
hw1@5d1f52fff4e8:~$ chmod 644 /flag
hw1@5d1f52fff4e8:~$ cat /flag
CSE466{36ef1e24753a8e3119eeac953e44f47f48aa388f9a72e2cb2d54fc9a622c5ef8}
hw1@5d1f52fff4e8:~$ exit
[+++] Flag: CSE466{36ef1e24753a8e3119eeac953e44f47f48aa388f9a72e2cb2d54fc9a622c5ef8}
[+++] Correct Flag!

Second, we can make the /bin/cat binary SUID, so that it runs as root and lets us read the flag.

[+++] Path to Binary: /bin/chmod
hw1@5d1f52fff4e8:~$ chmod 4755 /bin/cat
hw1@5d1f52fff4e8:~$ cat /flag
CSE466{36ef1e24753a8e3119eeac953e44f47f48aa388f9a72e2cb2d54fc9a622c5ef8}
hw1@5d1f52fff4e8:~$ exit
[+++] Flag: CSE466{36ef1e24753a8e3119eeac953e44f47f48aa388f9a72e2cb2d54fc9a622c5ef8}
[+++] Correct Flag!

And we can do the same with other binaries, such as /usr/bin/tail:

[+++] Path to Binary: /bin/chmod
hw1@5d1f52fff4e8:~$ chmod 4755 /usr/bin/tail
hw1@5d1f52fff4e8:~$ cat /flag
CSE466{36ef1e24753a8e3119eeac953e44f47f48aa388f9a72e2cb2d54fc9a622c5ef8}
hw1@5d1f52fff4e8:~$ exit
[+++] Flag: CSE466{36ef1e24753a8e3119eeac953e44f47f48aa388f9a72e2cb2d54fc9a622c5ef8}
[+++] Correct Flag!

Note that all three ways of getting the flag after specifying /usr/bin/chmod get the same flag. This is because the flag depends on the path to the binary that you specify in the Path to Binary: prompt. chmod is great, and it’ll let you run any binary with SUID, but it’ll only get you one flag.

Now you have three freebies. Go get the rest!

HINT: Reading program documentation

To get a flag using a given program, you need to understand how the program works. For cat and tail it’s easy. Can you get the flag using /bin/whiptail, a program that is used to create TUIs (Text User Interfaces)? Hint: yes, but you need to know how to use whiptail!

So, how do you learn? There are two main ways: the program help and the program manual. The program help is generally accessed by using the -h, --help, or --usage options (i.e., whiptail --usage). The program manual is generally accessible using the man or info commands (man whiptail or info whiptail).

Unfortunately, the man command is broken on the homework server because of the sheer amount of random stuff installed on it to give you more targets SUID binaries to leak the flag. Until it is fixed, you can determine which package a given binary belongs to, install it in a separate docker container, and read the documentation there. To do this, you will need to understand what to install.

For example:

hw1@b38bdd753b5b:~$ dpkg -S /usr/bin/find
findutils

#
# on your own VM or docker container
#

# first, install man
you@computer:~$ sudo apt-get install manpages man-db

# then, install the application
you@computer:~$ sudo apt-get install findutils

# then, look up the man page!
you@computer:~$ man find

You can also find manuals on google. For example, googling man whiptail will bring up the whiptail manual.

This is a hacking challenge. You will have to abuse these programs. They might not be originally intended to read out files, but you can often misuse their functionality to do so. Their documentation is your friend.

HINT: Dealing with errors

In the course of trying to abuse programs into giving you the flag, they might fail in weird ways. They might also fail in weird ways because of the way the container is run. As a rule of thumb, you should google all the errors that you get. Sometimes, the solution is quite simple!

/bin/whiptail is a great example of this: it doesn’t work at all right out of the box, but the error that it gives you (TERM environment variable needs set.), and the first result on google shows you how to fix that. There are other good examples of this (such as /bin/nano).

HINT: Picking your targets

There are a lot of targets to pick from (over 7,000), since you can SUID any ELF binary. You can get your list of targets by doing (inside the container):

hw1@f098f2fbfb1a:~$ find / -type f -executable -exec file \{\} \; | grep ELF | grep -o .*:

(HINT: understanding how that command works will get you another flag.) To succeed in this class, you should already have a good idea of which programs to start with. In general, almost any application that moves data from a file to somewhere else (the screen, another file, etc) can be used to leak the flag. For example, in the context of the useful resources below, consider how you would use /bin/cp to leak the flag? It is doable.

Once you have leaked the flag with a given program, look for similar programs. For example, tail and head are very similar, and can both be used to leak the flag.

Other hints

Also keep in mind a few hints:

  1. You don’t necessarily have to read the entire flag, cleanly, in one swoop. Some programs might mangle it (but in a way that you can unmangle), and some programs might only be able to leak a small amount of it in a single execution.
  2. This is a hacking challenge. There may be some “metagaming” that you can do. Look into how all parts of Linux work; it might help!
  3. Think very carefully about how programs present information to you when they don’t think that information is something critical. Debug info when debug flags are enabled. Error messages containing data that isn’t sensitive when it’s data you have access to anyways, but could be sensitive when the program has access to data that you don’t have access to. These situations expose methods that you can abuse certain programs to get flags.
  4. Sometimes, lazy programmers call out to other utilities instead of writing the functionality themselves. What happens if those other utilities are SUID root? What happens if you can influence where those other utilities are launched from (i.e., check out the PATH variable). This relies on lazy programming of the utilities that you are attacking, so you might want to pick up other targets before going down this path.

Launching GUI programs

Since some of these programs are graphical applications, you may need to use “X forwarding” to get them to work. There are plenty (thousands) of non-graphical applications to try, and you should really focus on those first if X forwarding is unfamiliar to you. If you want to run these programs, you will need to forward the graphical interface from the homework VM to your computer using the X11 protocol. You can read details on this here. Note that, with the way the connection to the server is configured, X forwarding over SSH will NOT work — you will need to use the “Plain Ol’ Vanilla X11 Remote Connection” method, and will have to set up an X server that is accessible from the homework machine, such as a system connected to the open internet. This is one of the things that is easier to do with a real Linux machine rather than a VM, as the latter will require you to deal with forwarding the X11 port from your computer into the VM.

Other useful resources

Some other useful resources: