问题
For a website oriented on security, I have a challenge which consist in cracking an application. It's the first challenge of that category, and I must admit I have no experience at all in this (and sadly no documentation is linked in that challenge).
So here I'm not asking for the answer, but more about a way to find it.
The challenge :
I connect using SSH to a machine, and get into this folder :
binary1@challenge02:~$ ls -la
total 24
dr-xr-x--x 2 binary1 binary1 4096 mai 4 2013 .
dr-xr-xr-x 14 root root 4096 mai 4 2013 ..
-r-sr-x--- 1 binary1cracked binary1 8059 mai 4 2013 binary1
-r--r----- 1 binary1 binary1 121 mai 4 2013 binary1.c
-r--r----- 1 binary1cracked binary1cracked 14 févr. 8 2012 .passwd
My user is binary1, and my goal is to read .passwd
Binary1 file is owned by binary1cracked user, as for .passwd, so I think it can read the .passwd file. I take a look at the source of binary1 ;
binary1@challenge02:~$ cat binary1.c
#include <stdlib.h>
#include <stdio.h>
int main(void)
{
system("ls /challenge/binary/binary1/.passwd");
return 0;
}
There I'd like to replace the ls
by cat
.
But I obviously can't since I don't have write privilege on this file.
I'm stuck without an idea about what to do from here.
I thought about launching the program, have it hang at some point, and modify the memory to change the ls
into a cat
but I have no idea how to do this.
Am I on the good path? Any suggestions on how to do this?
Thanks.
回答1:
Since binary1
is setuid binary1cracked and invokes system
, you should be able to invoke binary1
with a modified PATH
and therefore do anything that user binary1cracked can do. For example, supply your own version of ls
that reads the .passwd file and place this ls
into your custom PATH.
With bash you can supply a custom PATH by invoking a command like this at the prompt
$ PATH=/my/custom/path ./binary1
回答2:
The setuid bit is set on binary1 file so if you are able to execute the binary1 file after suitable modificaton you should be able to read the file.
binary1 file's group has execute permission... and the group is binary1 , so you would be able to execute the file.... and since the setuid bit is set, the owner of the process would be binarycracked which is also the owner of .passwd file. So if you are able to get the code to read .passwd into the binary1 file , you would be able to read .passwd.
Probable solution based on Brandin's hint..
PATH=~:$PATH; export PATH;
Place ls
in your home directory with the content:
$ cat .passwd
And then execute
$ ./binary1
回答3:
The important thing to know is that 'system' uses the shell to execute its argument, in particular, it calls
/bin/sh -c "ls /challenge/binary/binary1/.passwd"
So, By knowing how /bin/sh finds the program 'ls' to execute, you can figure out how to replace it with something you want. This does not require editing any of the files given.
来源:https://stackoverflow.com/questions/22113642/modify-a-program-im-not-the-owner-of