Thread: c script for privilege escalation

  1. #1
    Registered User
    Join Date
    Feb 2021
    Posts
    5

    c script for privilege escalation

    Hi there i'm stuck in a privillege escalation ctf. I found the above script in c and i can understand that it takes as input a config.json file with some arguments. One of the args is fhcrefrpergcnffjbeq that in rot13 is the supersecretpassword encoded. In the same folder i found also the compiled a.out. So i guess i have to make a config.json file with some args and run the compiled a.out. Thank you in advance!


    Code:
    #include<stdio.h>
    #include<stdlib.h>
    #include<ctype.h>
    #include<json-c/json.h>
    #include<string.h>
    #include<unistd.h>
    
    #defineBUFLEN2048
    
    char *encrypt(const char *ptxt, size_t len)
    {
    
      char *ctxt = calloc(len + 1, sizeof(char));
    
      for (int i = 0; i < len; i++) {
        ctxt =
            ((isalpha(ptxt)) ? (tolower(ptxt) < 'n' ? ptxt + 13 : ptxt - 13) :
             ptxt);
      }
    
      return ctxt;
    }
    
    int main(int argc, char **argv)
    {
    
      FILE *fp;
      char buffer[BUFLEN];
      struct json_object *jsonData;
      struct json_object *jsonCmd;
      struct json_object *jsonArgs;
      struct json_object *jsonSecret;
      int flag = 0;
    
      fp = fopen("config.json", "r");
      if (fp) {
        fread(buffer, BUFLEN, 1, fp);
        fclose(fp);
    
        jsonData = json_tokener_parse(buffer);
        if (json_object_object_get_ex(jsonData, "cmd", &jsonCmd)
            && json_object_object_get_ex(jsonData, "args", &jsonArgs)
            && json_object_object_get_ex(jsonData, "secret", &jsonSecret)) {
    
          const char *cmd = json_object_get_string(jsonCmd);
          size_t argsLen = json_object_array_length(jsonArgs);
          const char *pwd = json_object_get_string(jsonSecret);
    
          char **argvList = calloc(argsLen + 2, sizeof(char *));
          argvList[0] = cmd;
          for (int i = 0; i < argsLen; i++) {
            argvList[i + 1] =
                json_object_get_string(json_object_array_get_idx(jsonArgs, i));
          }
          char *ctxt = encrypt(pwd, strlen(pwd));
    
          if (strcmp(ctxt, "fhcrefrpergcnffjbeq") == 0) {
            setgid(1001);
            setuid(1000);
            if (execv(argvList[0], argvList) < 0) {
              perror("execv");
            }
          }
          free(ctxt);
          free(argvList);
        }
        json_object_put(jsonData);
      } else {
        printf("Missing File!");
      }
    }
    Last edited by Salem; 02-11-2021 at 06:31 AM. Reason: Removed EYEBLEED FONT AND COLOUR CHOICES

  2. #2
    Registered User
    Join Date
    Dec 2017
    Posts
    1,126
    You found this exact source code and an a.out that you assume is the corresponding executable.
    You believe that you need to create a config.json file with the correct fields.
    So how are we supposed to help?
    Can you post a link?
    The best argument against democracy is a five minute conversation with the average voter. - Churchill

  3. #3
    Registered User
    Join Date
    Feb 2021
    Posts
    5
    Quote Originally Posted by john.c View Post
    You found this exact source code and an a.out that you assume is the corresponding executable.
    You believe that you need to create a config.json file with the correct fields.
    So how are we supposed to help?
    Can you post a link?
    I would like to get some help in the args field of config.json. I thpought it would be something like this but it had no results.
    Code:
    {       "cmd": "/usr/bin/",
            "args": ["","sh","],
            "secret": "supersecretpassword"
            }

  4. #4
    Registered User
    Join Date
    Dec 2017
    Posts
    1,126
    Maybe something like this:
    Code:
    {
      "cmd": "/usr/bin/sh",
      "args": [
        "-c",
        "the command you want to run",
      ],
      "secret": "supersecretpassword"
    }
    Or just this:
    Code:
    {
      "cmd": "/usr/bin/sh",
      "args": [ ],
      "secret": "supersecretpassword"
    }
    You may need to use /bin/sh.

    And encrypt is wrong. It should be more like:
    Code:
    char *encrypt(const char *ptxt, size_t len)
    {
      char *ctxt = calloc(len + 1, 1);
      for (size_t i = 0; i < len; i++)
        ctxt[i] = isalpha(ptxt[i]) ? tolower(ptxt[i]) < 'n'
                                     ? ptxt[i] + 13
                                     : ptxt[i] - 13
                                   : ptxt[i];
      return ctxt;
    }
    Although as I understand the situation, you can't change that.
    Last edited by john.c; 02-11-2021 at 09:18 AM.
    The best argument against democracy is a five minute conversation with the average voter. - Churchill

  5. #5
    Registered User
    Join Date
    Feb 2021
    Posts
    5
    Thank you for your response. I will check it and i will be back!

  6. #6
    Registered User
    Join Date
    Feb 2021
    Posts
    5
    Unfortunately nothing happened....

  7. #7
    Registered User
    Join Date
    Dec 2017
    Posts
    1,126
    You're not giving enough information to help you.
    Post a link to the problem.
    The best argument against democracy is a five minute conversation with the average voter. - Churchill

  8. #8
    Registered User
    Join Date
    Feb 2021
    Posts
    5
    It was my mistake! In the args field my input was "args":[""], instead of "args":[], as you suggested. Now everything works perfect!Thank you very much for your advice!

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. How can a program get ring0 privilege easily?
    By chenayang in forum Tech Board
    Replies: 6
    Last Post: 07-22-2008, 02:28 AM
  2. Visual Studio Installer Privilege Issue
    By mercury529 in forum Windows Programming
    Replies: 4
    Last Post: 01-30-2006, 01:48 PM
  3. Access token privilege attributes
    By bennyandthejets in forum Windows Programming
    Replies: 1
    Last Post: 07-10-2003, 11:39 AM
  4. how to gain privilege
    By Jaguar in forum Linux Programming
    Replies: 9
    Last Post: 04-06-2003, 02:30 PM
  5. Principal of least privilege
    By carlin70 in forum C++ Programming
    Replies: 2
    Last Post: 02-22-2003, 08:15 PM

Tags for this Thread