{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 傲 的问题《Modify a program I'm not the owner of》','https://www.manongdao.com/q-991386.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
For a website oriented on security, I have a challenge which consist in cracking an application. It's the first challenge of that category, and I must admit I have no experience at all in this (and sadly no documentation is linked in that challenge).
So here I'm not asking for the answer, but more about a way to find it.
The challenge :
I connect using SSH to a machine, and get into this folder :
binary1@challenge02:~$ ls -la
total 24
dr-xr-x--x 2 binary1 binary1 4096 mai 4 2013 .
dr-xr-xr-x 14 root root 4096 mai 4 2013 ..
-r-sr-x--- 1 binary1cracked binary1 8059 mai 4 2013 binary1
-r--r----- 1 binary1 binary1 121 mai 4 2013 binary1.c
-r--r----- 1 binary1cracked binary1cracked 14 févr. 8 2012 .passwd
My user is binary1, and my goal is to read .passwd
Binary1 file is owned by binary1cracked user, as for .passwd, so I think it can read the .passwd file. I take a look at the source of binary1 ;
binary1@challenge02:~$ cat binary1.c
#include <stdlib.h>
#include <stdio.h>
int main(void)
{
system("ls /challenge/binary/binary1/.passwd");
return 0;
}
There I'd like to replace the ls by cat.
But I obviously can't since I don't have write privilege on this file.
I'm stuck without an idea about what to do from here.
I thought about launching the program, have it hang at some point, and modify the memory to change the ls into a cat but I have no idea how to do this.
Am I on the good path? Any suggestions on how to do this?
Thanks.
The setuid bit is set on binary1 file so if you are able to execute the binary1 file after suitable modificaton you should be able to read the file.
binary1 file's group has execute permission... and the group is binary1 , so you would be able to execute the file.... and since the setuid bit is set, the owner of the process would be binarycracked which is also the owner of .passwd file. So if you are able to get the code to read .passwd into the binary1 file , you would be able to read .passwd.
Probable solution based on Brandin's hint..
Place
lsin your home directory with the content:And then execute
The important thing to know is that 'system' uses the shell to execute its argument, in particular, it calls
So, By knowing how /bin/sh finds the program 'ls' to execute, you can figure out how to replace it with something you want. This does not require editing any of the files given.
Since
binary1is setuid binary1cracked and invokessystem, you should be able to invokebinary1with a modifiedPATHand therefore do anything that user binary1cracked can do. For example, supply your own version oflsthat reads the .passwd file and place thislsinto your custom PATH.With bash you can supply a custom PATH by invoking a command like this at the prompt