April 04, 2018

Root me write-up : Bash - cron

To comply with the write-up rule of root-me.org, in this write-up, I just talk about some hints related this challenge. Here is no solution and correct answer. Check the provided file the "ch4". It executes files regularly with cron service and makes directory "._cron". It is driven with the permission to get the flag. And this is some operations of · · ·

March 28, 2018

Root me write-up : Python - input()

To comply with the write-up rule of root-me.org, in this write-up, I just listed hints related this challenge. Here is no solution and correct answer. I ask for your understanding. <Source code> #!/usr/bin/python2 import sys def youLose():     print "Try again ;-)"     sys.exit(1) try:     p = input("Please enter password · · ·

December 23, 2017

Root me write-up : Perl - Command injection

Retrieve the password stored in .passwd. There are .passwd, ch7.pl and setuid-wrapper files. This challenge seems to read the .passwd file using the permissions of the setuid-wrapper file. ※ Two kinds of SUID(Link). This program prompts you to enter a file path. Then it outputs the statistical results of the contents of the file. <setuid-wrapper.c> #include · · ·

November 10, 2017

Root me write-up : Bash - System 2

It looks like that it can be solved by changing the "ls" command to "cat". However, since there is no "-l" option in "cat" command, "ls -lA" should be "cat". SUID is in use. I used the following method to change "ls -lA" to "cat". 1. Make a /tmp/tmpt/ls program to exploit. #include<stdio.h> int main() { system("■■■ ■■■■■■■■■■■■■t/ch12/.passwd;"); · · ·

October 18, 2017

Root me write-up : sudo - weak configuration

Wishing to simplify the task by not modifying rights, the administrator has not thought about the side effects... The "~/ch1cracked/.passwd" file is for the "app-script-ch1-cracked" account. The file has a flag. There is a mention of "Privilege escalation" in the game description. The traditional way to escalate privilege is to use "sudo" · · ·

October 15, 2017

Root me write-up : Bash - System 1

Try to find your path padawan! "ch11" has SUID permission, and the "ls" command depends on the PATH environment variable. The goal is reading the ".passwd". The soft link "ls" that functions as "cat" reads the ".passwd". If the current path is included in the PATH environment variable, the vulnerability can occur like above. But · · ·
Subscribe to: Posts (Atom)