writeups

IceCTF - 55 - Demo - Pwn

noraj (Alexandre ZANNI)
, , ,
🇬🇧

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

Description#

I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell.

Solution#

  1. Connect to the shell provided by IceCTF.
  2. Go to /home/demo/.
  3. Our goal is to display flag.txt but it is impossible ofr the moment:
1
2
3
4
5
[ctf-578@icectf-shell-2016 /home/demo]$ cat flag.txt
cat: flag.txt: Permission denied
[ctf-578@icectf-shell-2016 /home/demo]$ sh
$ cat /home/demo/flag.txt
cat: /home/demo/flag.txt: Permission denied
  1. Display demo.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <libgen.h>
#include <string.h>

void give_shell() {
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    system("/bin/sh");
}

int main(int argc, char *argv[]) {
    if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
        give_shell();
    }
    else {
        printf("I'm sorry, your free trial has ended.\n");
    }
    return 0;
}
  1. To call give_shell() we have to bypass the if statement.
  2. We need the _ environment variable to be _=icesh.
  3. But our zsh shell don't allow us to change: _ is read-only and we can't make it writable.
1
2
3
4
[ctf-578@icectf-shell-2016 /home/demo]$ export \_=icesh
zsh: read-only variable: _
[ctf-578@icectf-shell-2016 /home/demo]$ typeset +rx \_=icesh
typeset: _: can't change type of a special parameter
  1. _ contain the name of the last command but launching icesh and then ./demo doesn't work in this environment because the last command is ./demo so _=./demo.
  2. As give_shell() will give us a /bin/sh, let's try with it.
  3. Start a /bin/sh.
  4. With /bin/sh, _ contain the last command before last one, so running icesh and then ./demo will work: _=icesh.
  5. So that launch give_shell() and give a /bin/sh enhanced with special gid instead of having I'm sorry, your free trial has ended. printed.
  6. With this empowered shell we can display the flag.txt file:
1
2
$ cat /home/demo/flag.txt
IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}
Share