To find the second flag, we have to be the root user, and to become the root user we can search for files that have SUID bit set. If we manage to find a file with root privileges we can leverage it execute the command that can give us a root shell.
What is SUID?
SUID(Set-user Identification) is a special permission given to a executable file to run as root.
Use the below command to find files that have a suid bit set.
find - to find
/ - find it in root directory
4000 — files that have SUID bit permissions
find / -perm /4000
As we can see there are so many files but we have to point out the interesting one and in this case, it is usr/bin/menu
why usr/bin/menu?
Well, you can’t find a file like this in your Linux machine, and also it has a suid bit set which is weird because only critical files like passwd have a suid set which is used to change user passowords.
If we run usr/bin/menu, we can see three options, and each option gives different results according to its functionality.
Let’s use the string command to see text strings in the menu binary file.
ls -la /usr/bin/menu
As we can see, what are these options executing behind the scenes, and also they don’t have a full path? (i.e not like usr/bin/curl and usr/bin/uname)
1.status check — curl -I localhost
2.kernel version — uname -r
3.ifconfig — ifconfig
When we type the first option, it searches for the curl binary file without a particular path and uses whatever the first path it’s going to see in the system path. What if we change the content of the curl binary and make the menu execute our modified curl?
Steps:
- Make a file name curl.
- Echo the /bin/sh in curl.
- Give it 777 permission(read, write, execute for all users).
- Add the location of the curl file containing the shell in the system path.
- Now the curl file has our shell.
Now if we run the usr/bin/menu file it will be using our path variable(/home/kenobi) to find the curl binary(curl binary actually contains bin/sh shell)which if executed will give us a root shell.
echo /bin/sh > curlchmod 777 curlls
Now we can go to /root/root.txt to get the second flag.
