"Pwnable.kr" Shellshock

Pwnable from getting started to giving up, question fifth.

SSH [email protected]-p2222 (pw:guest)

The problem involves a CVE bug about bash.

First, or download the source code audit, SHELLSHOCK.C

#include <stdio.h>int  main () {    setresuid (Getegid (), Getegid (), Getegid ());    Setresgid (Getegid (), Getegid (), Getegid ());    System ("/home/shellshock/bash-c ' echo shock_me '");     return 0 ;}

The first is a question about the permissions of the executable program, that is, the UID and GID.

Look at the permissions for each file first

First start, the user is Shellshock permissions, that is, other permissions, so the flag is not readable. Linux switching machine The skilled player didn't know what to mean at all.

Later found that Shellshock this executable file has a special permission to the group W, which means that egid belongs to Shellshock_pwn, this privilege is very high, the flag file is readable, which also involves the Linux executable permissions inheritance and grant problems.

I looked at the "C and C + + security Code" in the Permissions section, which is equivalent to set up the Egid, so in the code Setreuid set the UID is the high privilege of the preset, that is, EGID--SHELLSHOCK_PWN, Therefore, when the executable is executed to the system line, it is already a program with SHELLSHOCK_PWN group permissions.

Bash is also open with this group of permissions, so the flag is readable.

Solve the permissions problem, you can consider how the code execution, this shell hole can be used as a local right to exploit the vulnerability, refer to Jinshan poison PA on the FREEBUF analysis of the vulnerability of the paste,: http://www.freebuf.com/articles/system/45390.html

Can use the above mentioned POC,

Env x= ' () {:;}; echo vulnerable ' bash-c "echo this is a test"

This vulnerability can be verified to exist on./bash:

Will echo v ... ' Replace the command you want to execute Bash-c "cat./flag"

and./Bash-c "echo this is a test" replaced by./shellshock

Steal a lazy, broken shell loophole tomorrow to see.

"Pwnable.kr" Shellshock