IceCTF - 55 - Demo - Pwn

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell.

Solution

  1. Connect to the shell provided by IceCTF.

  2. Go to /home/demo/.

  3. Our goal is to display flag.txt but it is impossible ofr the moment:

    1
    2
    3
    4
    5
    [[email protected] /home/demo]$ cat flag.txt
    cat: flag.txt: Permission denied
    [[email protected] /home/demo]$ sh
    $ cat /home/demo/flag.txt
    cat: /home/demo/flag.txt: Permission denied

  4. Display demo.c

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    #define _GNU_SOURCE
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <libgen.h>
    #include <string.h>
    void give_shell() {
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    system("/bin/sh");
    }
    int main(int argc, char *argv[]) {
    if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
    give_shell();
    }
    else {
    printf("I'm sorry, your free trial has ended.\n");
    }
    return 0;
    }

  5. To call give_shell() we have to bypass the if statement.

  6. We need the _ environment variable to be _=icesh.

  7. But our zsh shell don't allow us to change: _ is read-only and we can't make it writable.

    1
    2
    3
    4
    [[email protected] /home/demo]$ export \_=icesh
    zsh: read-only variable: _
    [[email protected] /home/demo]$ typeset +rx \_=icesh
    typeset: _: can't change type of a special parameter

  8. _ contain the name of the last command but launching icesh and then ./demo doesn't work in this environment because the last command is ./demo so _=./demo.

  9. As give_shell() will give us a /bin/sh, let's try with it.

  10. Start a /bin/sh.

  11. With /bin/sh, _ contain the last command before last one, so running icesh and then ./demo will work: _=icesh.

  12. So that launch give_shell() and give a /bin/sh enhanced with special gid instead of having I'm sorry, your free trial has ended. printed.

  13. With this empowered shell we can display the flag.txt file:

    1
    2
    $ cat /home/demo/flag.txt
    IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}

Share