For a website oriented on security, I have a challenge which consist in cracking an application. It's the first challenge of that category, and I must admit I have no experience at all in this (and sadly no documentation is linked in that challenge).

So here I'm not asking for the answer, but more about a way to find it.

The challenge :

I connect using SSH to a machine, and get into this folder :

binary1@challenge02:~$ ls -la
total 24
dr-xr-x--x  2 binary1        binary1        4096 mai    4  2013 .
dr-xr-xr-x 14 root           root           4096 mai    4  2013 ..
-r-sr-x---  1 binary1cracked binary1        8059 mai    4  2013 binary1
-r--r-----  1 binary1        binary1         121 mai    4  2013 binary1.c
-r--r-----  1 binary1cracked binary1cracked   14 févr.  8  2012 .passwd

My user is binary1, and my goal is to read .passwd

Binary1 file is owned by binary1cracked user, as for .passwd, so I think it can read the .passwd file. I take a look at the source of binary1 ;

binary1@challenge02:~$ cat binary1.c
#include <stdlib.h>
#include <stdio.h>

int main(void)
{
        system("ls /challenge/binary/binary1/.passwd");
        return 0;
}

There I'd like to replace the ls by cat. But I obviously can't since I don't have write privilege on this file.

I'm stuck without an idea about what to do from here. I thought about launching the program, have it hang at some point, and modify the memory to change the ls into a cat but I have no idea how to do this.

Am I on the good path? Any suggestions on how to do this?

Thanks.

Since binary1 is setuid binary1cracked and invokes system, you should be able to invoke binary1 with a modified PATH and therefore do anything that user binary1cracked can do. For example, supply your own version of ls that reads the .passwd file and place this ls into your custom PATH.

With bash you can supply a custom PATH by invoking a command like this at the prompt

 $ PATH=/my/custom/path ./binary1

The setuid bit is set on binary1 file so if you are able to execute the binary1 file after suitable modificaton you should be able to read the file.

binary1 file's group has execute permission... and the group is binary1 , so you would be able to execute the file.... and since the setuid bit is set, the owner of the process would be binarycracked which is also the owner of .passwd file. So if you are able to get the code to read .passwd into the binary1 file , you would be able to read .passwd.

Probable solution based on Brandin's hint..

PATH=~:$PATH; export PATH;

Place ls in your home directory with the content:

$ cat .passwd

And then execute

 $ ./binary1

The important thing to know is that 'system' uses the shell to execute its argument, in particular, it calls

 /bin/sh -c "ls /challenge/binary/binary1/.passwd"

So, By knowing how /bin/sh finds the program 'ls' to execute, you can figure out how to replace it with something you want. This does not require editing any of the files given.