Flipping to root – privilege escalation via CBC bit-flipping
You probably thought we could just step through hex pair by hex pair until we find the right spot and flip our way to victory. Not exactly.
The way the User ID and Group ID are encoded is a little funky, and there's a different piece of ciphertext being XORed against when we work our way down the IV. So at this point, it's pure trial and error while relying on the hints we've already gathered. As I worked this one out, I took some notes:
It's a little tedious, but I only needed to play with a few characters to understand what's going on here. I discovered two main points:
- Though each position is 8 bits, only modifying the final 4 bits would change the User ID/Group ID value in that position. For example, I noted that when I replaced the two hexadecimal characters in a position with 00, the result breaks (that is, the resulting binary value isn't ASCII-friendly).
- I go and do the XOR calculation on the trailing 4 bits of each byte to find the key that I need and discover the value isn't the same for all positions.
The hacker in you was already expecting unique XOR values for each character, right? The stream of bits that's being XORed with the IV wouldn't realistically be a byte-long repeating pattern. The effort to discover these values pays off, though, because all we have to do now is calculate the XOR for each position: XOR the hexadecimal character in the IV with the hexadecimal of the User ID/Group ID in that position, and the result is the enciphered bits at that position. And since we're looking for all zeroes, the result for each position is the binary equivalent of the hexadecimal character we need to put in the IV instead of the original.
Let's translate that conclusion with an example from the IV: position 09 is b4, which corresponds to the middle digit in the Group ID, which is 3. Hexadecimal 4 in binary is 0100 and hexadecimal 3 is 0011. 0100 XOR 0011 equals 0111. 0111 is the binary equivalent of 7, which means we would replace b4 with b7 to get a 0.
Now, I repeat this calculation for all six positions and learn what I needed: the byte-long IV positions 05 through 10 correspond to the User ID and Group ID, and the final 4 bits of each position need to be replaced with the hexadecimal values (in order) a2f774 to get root. Position 05 in the original IV was ab, so it becomes aa; position 06 was 65, so it becomes 62; and so on.
Thus, the IV from the 5th byte to the 10th byte changes from ab650b25b411 to aa620f27b714:
The moment of truth: I change the IV from 6bc24fc1ab650b25b4114e93a98f1eba to 6bc24fc1aa620f27b7144e93a98f1eba: