For a website oriented on security, I have a challenge which consist in cracking an application. It's the first challenge of that category, and I must admit I have no experience at all in this (and sadly no documentation is linked in that challenge).
So here I'm not asking for the answer, but more about a way to find it.
The challenge :
I connect using SSH to a machine, and get into this folder :
binary1@challenge02:~$ ls -la
total 24
dr-xr-x--x 2 binary1 binary1 4096 mai 4 2013 .
dr-xr-xr-x 14 root root 4096 mai 4 2013 ..
-r-sr-x--- 1 binary1cracked binary1 8059 mai 4 2013 binary1
-r--r----- 1 binary1 binary1 121 mai 4 2013 binary1.c
-r--r----- 1 binary1cracked binary1cracked 14 févr. 8 2012 .passwd
My user is binary1, and my goal is to read .passwd
Binary1 file is owned by binary1cracked user, as for .passwd, so I think it can read the .passwd file. I take a look at the source of binary1 ;
binary1@challenge02:~$ cat binary1.c
#include <stdlib.h>
#include <stdio.h>
int main(void)
{
system("ls /challenge/binary/binary1/.passwd");
return 0;
}
There I'd like to replace the ls
by cat
.
But I obviously can't since I don't have write privilege on this file.
I'm stuck without an idea about what to do from here.
I thought about launching the program, have it hang at some point, and modify the memory to change the ls
into a cat
but I have no idea how to do this.
Am I on the good path? Any suggestions on how to do this?
Thanks.
Since binary1
is setuid binary1cracked and invokes system
, you should be able to invoke binary1
with a modified PATH
and therefore do anything that user binary1cracked can do. For example, supply your own version of ls
that reads the .passwd file and place this ls
into your custom PATH.
With bash you can supply a custom PATH by invoking a command like this at the prompt
$ PATH=/my/custom/path ./binary1