RootMe - CTF App Security - Perl - Command Injection

I'm considering seriously the CTF topic, it is so funny but I need to learn more and more.

A good choice to start learning is

Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.

Let's start with the first category: App - Script.

The fourth challenge that we face is: Perl - Command Injection:

Vulnerability type:

• Command Injection

##################################################

This challenge is very similar to the Bash - System 1. At the beginning, open terminal and type:

• ssh -p 2222 app-script-ch7@challenge02.root-me.org

to connect to the target system. If it asks for a password, insert app-script-ch7.

If we type ls -la command, we will see four files: ch7, setuid-wrapper, setuid-wrapper.c and .passwd.

It's easy to note that .passwd contains the solution of the challenge.

If we try to read the .passwd file by cat, less, more, etc. we cannot do that due to the permissions, indeed only the owner of this file has the privileges to READ that file. How can we do?

We can use a "weakness" caused by the SETUID (SET User ID) set by 1. This kind of exploit allows us to perform privilege escalation to execute a program with the owner's program privilege, even though we are not the owner.

The SETUID is a permission that can be set on files. Generally it can be set by the command: chmod u+s filename or chmod 4755 filename. This command substitutes the x parameter on the User (owner) permission with s.

In our case, we cannot chmod the interested file because we don't have permissions on them, but we can find which files have already the SETUID set. To check this, we type:

• find / -perm -u=s -type f 2>/dev/null

In this way, we will search for all files that have SETUID set by 1. I note that setuid-wrapper has SETUID set by 1 so I can execute this program (so this process) as the owner of the program (that is the same owner of .passwd).

How does setuid-wrapper work? To check this, I can open the setuid-wrapper.c file by less setuid-wrapper.c. I note that setuid-wrapper executes the perl script ch7.pl. This perl file works in this way: it waits for a name of a file by user input, then it computes the number of Lines, Words and Chars.

In the perl code, the input is not sanitized, so we can perform command injection. Executing the ch7.pl by setuid-wrapper, we can execute Linux commands with the same permission of the user owner of setuid-wrapper that is the same of .passwd, so we can type:

• ./setuid-wrapper

At this point, the ch7.pl will be executed with app-script-ch7-cracked privileges. The Perl program will ask us to insert a filename as input. Since in the Perl code the input is not sanitized, we can inject commands at >>> in this way:

• | cat .passwd

or:

• cat .passwd|xargs touch| (This tries to create a file named with the flag contents, but since the user doesn’t have write permissions we see the system error displaying the flag)

or:

• cat .passwd > /tmp/x | ("|" executes command! Then you can read flag from ’/tmp/x’ file)

or:

• cat .passwd 1>&2|

Unlike these different command injections, we will get the solution.