Environment Variables
Start course
2h 29m

This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!


Hi, within this lecture, we're going to try and become rude by exploiting the environment variables or path like we have discussed in the previous lecture. So far, we know that this SUID binary is trying to run the service Apache2 start, so I'm going to see if we can make our own way of service and make sure Linux finds it first rather than finding the regular service binary or regular service executable so that it gets executed by route and we become root. So, let's see how it works, okay? Again, we're going to create a file for us. We're going to try and create an executable and then we will make it in the path. So, let me show you how it works. First, I'm going to create a C file and I'm going to use exactly what we have used before and I'm just going to do this in one line, so you can just take a note of this as well. I'm going to echo the C code in the file because I don't know whether we have none over here or whim. And I mean I know we have it but I just wanted to show you this as well. So, you have to write echo with a single quotation mark, 'int main, okay. So, this is our entry point for our c code and it will return an integer and it doesn't mean that we have to return a specific one. We can just return whatever we want over here. Okay, this is our main entry point, main method over there. So, I'm going to write our code under this main method and again, I'm just going to use the GID set UID thingy that we have seen before and be aware that if you don't have none or whim in an environment that you can just use this. So, open the curly braces and write  setgid to 0. Okay, so this zero is important actually. So, the gid0 and uid0 stands for the root, so make sure you exactly write like this. Okay, setgid0; setuid0; and then just use the system in order to spawn the bash which is /bin/bash like this, okay? And then you can just return a number over here because we have executed this or written this with int main, okay? So, it expects to return some integer which is a whole number actually if you don't know what an integer is, so this will return zero. And again, it's not very important what we return over here and let me just delete this parenthesis and replace it with curly brace because I believe that's the way we should do it like that. Here you go. Now, I believe we are okay. Now, I'm going to write this under a file under the TMP folder file called service. Okay, now we have the service. let me cut this out. So, this is service. Here you go. Of course, this is just the code itself. Now, I believe we have to make this executable so that it can be executed then it's reached, okay? When it's reached by the user or when it's reached by the SUIDN file, okay? And I believe we have to make sure that let me just do this one more time. We have to make sure that around this with service C, okay? Because this is the C code and then we're going to convert this into an executable and call that C, okay? So, I'm going to run this gcc /tmp/service.c and the output will be tmp/service like this. So, let me run ls -la and see if it has overridden it. So, let me run ls -la on tmp actually and here you go. We have the service.c, service executable. This is the thing that we are looking for. Now, we managed to convert this into executable. And if we can make our Linux seize the service first, before the original service that has been put under user bin or something like that, then it will work, right? Let's see if we can actually do that. So far, we haven't changed anything regarding to path right now, and this is how you do it. You have to use export comment and write path, and just assign a path over here. So, if you write tmp: with a colon path like this, then tmp will be put in path. So, this is exactly the comment that you should run. And now if I print the path, now as you can see tmp actually is shown in the first place. Now, if it's shown in the first place, then we are good to go because this is how it works, it works in order, okay. If it finds service under tmp, then that's it. It will not go and execute the one in the user local bin, it will execute the one in the tmp, okay? And now, since we can export this path, then it's very good for us because now we have the service executable under tmp. And if we can actually run the thing that we have been working on, let me just run this. Find command one more time and let's change the type like this, okay? And here you go, that's the word, that's the thing that I'm talking about. This is user/local/bin/suid and over here. So, if we run this, it will run service apache2 start. And rather than original service under the user bin or user local bin, it will find the service executable that we have run and here you go. When we write who am I, we are root. Again, this is kind of advanced. It's hard to find, it's hard to detect in a real life environment, so it was obvious over here because it has been named like SUID and something like this so that we can understand at least get a clue of what's going on, and you can see the details over here in the task here as well. You can just get the code from here as well. But again, if you get this, it will be big, okay? So, I wanted to show you all of these things, all of these important things. And I really suggest you take a note of that in your own CTF challenge files. And again I have shown you mine and in fact I believe I have to take this note as well. But because I don't have it over here, right? So, I have this sudo -l, and I'm going to do the same thing over here. I'm just going to take a note of this because I use this a lot in CTFs. If I find some way to just execute the C code or a binary or a shared object, then I will use this. Okay, it will be very beneficiary for you. And again, you should take note of this as well. I believe I already have this but I will see if I have it, over here, let's see. Here you go. I have the this thing over here but I can always search for the alternative one over here as well. So far, so good. Now again, these are all advanced things but we have seen the basic ones before. And maybe you can just take a note of this exploitation, the long C code that we have run before, because it's good as well, okay? So, make sure you just put those things in the right place. And here you go, now we are ready. So, I believe this section was a little bit hard. But again, once you get to actually solve the CTS and once you get to have a little bit experience on those, then it will be better for you, it will be easier for you in time. So far, so good. I'm going to stop here and continue within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.