defconquals2018 / www #160
Description
When attempting to execute /challenge/run, I was greeted with this error
hacker@practice~defconquals2018~www:~$ run
/usr/bin/env: ‘bash-suid’: No such file or directory
And /challenge/run is simply:
#!/usr/bin/env bash-suid
env -i -- chown www:www /flag
env -i -- /bin/su www -c /opt/www/frontend.py
So, where is bash-suid? Well, I did manage to find it:
$ find /nix -name bash-suid 2>/dev/null
/nix/store/789i7zsjg9043hliha5w60yhyx0b825f-bash-suid/bin/bash-suid
But for whatever reason it's not in path. By path injection & symlink, I was able to get the challenge to work:
$ ln -s /nix/store/789i7zsjg9043hliha5w60yhyx0b825f-bash-suid/bin/bash-suid .
$ PATH=/home/hacker/wwwtest:$PATH run
Welcome to the pre-alpha web aka 520d462abb92809b4fa1eaaafabbaee4
What URL would you like this old dog to fetch?
However, this is obviously less than ideal, because not only is it not in path, env wasn't reset. By combining these issues, and knowing the bash-suid path, it is possible to solve unintended.
wwwtest$ PATH=/home/hacker/wwwtest:$PATH run
pwn.college{practice}
pwn.college{practice}
Now at this point, let's triage it further together. Is something wrong with root's path?
# echo $PATH
/run/challenge/bin:/run/dojo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
It looks fine to me? Well, it's some legacy suid interpreter that's not in any root's path apparently, which stinks because I've already written all this up. @ConnorNelson You figure that out!
Nonetheless, the path can be modernized. Perhaps something like this
#!/usr/bin/env -iS /opt/pwn.college/bash