Thread: c script for privilege escalation

Hi there i'm stuck in a privillege escalation ctf. I found the above script in c and i can understand that it takes as input a config.json file with some arguments. One of the args is fhcrefrpergcnffjbeq that in rot13 is the supersecretpassword encoded. In the same folder i found also the compiled a.out. So i guess i have to make a config.json file with some args and run the compiled a.out. Thank you in advance!

Code:

#include<stdio.h>
#include<stdlib.h>
#include<ctype.h>
#include<json-c/json.h>
#include<string.h>
#include<unistd.h>

#defineBUFLEN2048

char *encrypt(const char *ptxt, size_t len)
{

  char *ctxt = calloc(len + 1, sizeof(char));

  for (int i = 0; i < len; i++) {
    ctxt =
        ((isalpha(ptxt)) ? (tolower(ptxt) < 'n' ? ptxt + 13 : ptxt - 13) :
         ptxt);
  }

  return ctxt;
}

int main(int argc, char **argv)
{

  FILE *fp;
  char buffer[BUFLEN];
  struct json_object *jsonData;
  struct json_object *jsonCmd;
  struct json_object *jsonArgs;
  struct json_object *jsonSecret;
  int flag = 0;

  fp = fopen("config.json", "r");
  if (fp) {
    fread(buffer, BUFLEN, 1, fp);
    fclose(fp);

    jsonData = json_tokener_parse(buffer);
    if (json_object_object_get_ex(jsonData, "cmd", &jsonCmd)
        && json_object_object_get_ex(jsonData, "args", &jsonArgs)
        && json_object_object_get_ex(jsonData, "secret", &jsonSecret)) {

      const char *cmd = json_object_get_string(jsonCmd);
      size_t argsLen = json_object_array_length(jsonArgs);
      const char *pwd = json_object_get_string(jsonSecret);

      char **argvList = calloc(argsLen + 2, sizeof(char *));
      argvList[0] = cmd;
      for (int i = 0; i < argsLen; i++) {
        argvList[i + 1] =
            json_object_get_string(json_object_array_get_idx(jsonArgs, i));
      }
      char *ctxt = encrypt(pwd, strlen(pwd));

      if (strcmp(ctxt, "fhcrefrpergcnffjbeq") == 0) {
        setgid(1001);
        setuid(1000);
        if (execv(argvList[0], argvList) < 0) {
          perror("execv");
        }
      }
      free(ctxt);
      free(argvList);
    }
    json_object_put(jsonData);
  } else {
    printf("Missing File!");
  }
}

You found this exact source code and an a.out that you assume is the corresponding executable.
You believe that you need to create a config.json file with the correct fields.
So how are we supposed to help?
Can you post a link?

Maybe something like this:

Code:

{
  "cmd": "/usr/bin/sh",
  "args": [
    "-c",
    "the command you want to run",
  ],
  "secret": "supersecretpassword"
}

Or just this:

Code:

{
  "cmd": "/usr/bin/sh",
  "args": [ ],
  "secret": "supersecretpassword"
}

You may need to use /bin/sh.

And encrypt is wrong. It should be more like:

Code:

char *encrypt(const char *ptxt, size_t len)
{
  char *ctxt = calloc(len + 1, 1);
  for (size_t i = 0; i < len; i++)
    ctxt[i] = isalpha(ptxt[i]) ? tolower(ptxt[i]) < 'n'
                                 ? ptxt[i] + 13
                                 : ptxt[i] - 13
                               : ptxt[i];
  return ctxt;
}

Although as I understand the situation, you can't change that.

You're not giving enough information to help you.
Post a link to the problem.