Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flag readable only by challenge group #577

Open
ConnorNelson opened this issue Sep 26, 2024 · 1 comment
Open

Flag readable only by challenge group #577

ConnorNelson opened this issue Sep 26, 2024 · 1 comment

Comments

@ConnorNelson
Copy link
Member

Can you hear the future of the dojo off in the distance? It says "Challenges shouldn't be setuid-root unless they need to be; they should be setgid-challenge".

The flag shall be readable by only the "challenge" group. And guess what, root has capabilities to ignore these permissions, so it can read too. Most challenges will just be setgid-challenge.

This group shall be ID 1337 or maybe 942 if we should be below 1000 (42 is already the shadow group on ubuntu:24.04).

The simple transition path is to just chown -R root:challenge /challenge && chmod -R 6755 /challenge. This means everything will still be setuid-root, but will now also be setgid-challenge. So, challenges that depend on being root (for chroot, binding lower ports, etc) will still work. Long term, most things will just be 2755 root:challenge--which is to say, challenges will not run as root.

Experiments

Setup:

root@0ab867cfc103:/# echo 'challenge:x:1337:' >> /etc/group
root@0ab867cfc103:/# echo 'FLAG' > /flag
root@0ab867cfc103:/# chown root:challenge /flag
root@0ab867cfc103:/# chmod 040 /flag
root@0ab867cfc103:/# ls -al /flag
----r----- 1 root challenge 5 Sep 25 23:39 /flag

We get an "egid" of 1337:

root@0ab867cfc103:/# chown root:challenge /bin/id
root@0ab867cfc103:/# chmod 2755 /bin/id
root@0ab867cfc103:/# su ubuntu
ubuntu@0ab867cfc103:/$ id
uid=1000(ubuntu) gid=1000(ubuntu) egid=1337(challenge) groups=1337(challenge),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),1000(ubuntu)
ubuntu@0ab867cfc103:/$ exit
exit
root@0ab867cfc103:/# chmod 755 /bin/id

We can read the flag using a setgid program:

root@0ab867cfc103:/# chown root:challenge /bin/cat
root@0ab867cfc103:/# chmod 2755 /bin/cat
root@0ab867cfc103:/# su ubuntu
ubuntu@0ab867cfc103:/$ cat /flag
FLAG

We can also still read the flag using a root-setuid program:

root@0ab867cfc103:/# chmod 4755 /bin/cat
root@0ab867cfc103:/# su ubuntu
ubuntu@0ab867cfc103:/$ cat /flag
FLAG

We can also read the flag using a setuid-setgid program:

root@0ab867cfc103:/# chmod 6755 /bin/cat
root@0ab867cfc103:/# su ubuntu
ubuntu@0ab867cfc103:/$ cat /flag
FLAG

Just like setuid, /bin/sh drops setgid (while /bin/sh -p does not):

root@0ab867cfc103:/# chown root:challenge /bin/sh
root@0ab867cfc103:/# chmod 2755 /bin/sh
root@0ab867cfc103:/# su ubuntu
ubuntu@0ab867cfc103:/$ sh
$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev)
$ cat /flag
cat: /flag: Permission denied
$ exit
ubuntu@0ab867cfc103:/$ sh -p
$ id
uid=1000(ubuntu) gid=1000(ubuntu) egid=1337(challenge) groups=1337(challenge),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),1000(ubuntu)
$ cat /flag
FLAG
@spencerpogo
Copy link
Contributor

We should eventually make a page with code snippets in various languages to do permissions related tasks the right way, so that challenge authors don't mess up trying to roll their own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants