Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure :)
The flag file's GID is "shellshock_pwn" and I am "shellshock". I'm not related to "shellshock_pwn".
There is a bash program provided. It may be vulnerable. Because, the topic is shell shock.
For testing the vulnerability of the Bash program, I added the environment variable TEST.
* Bash shell treats exported function definitions as environment variables.
* The ":;" is same as "True"; See this link for more information : [Link]
* The outdated bash shell executes the command following the semicolon every time it is executed. This causes a problem of privilege elevation when executed with a setgid or setuid program. This vulnerability is called shellshock.
When I executes the provided bash shell, The command following semicolon also is executed. The bash shell is outdated.
* The famous way to check for shell shock : env x='() { :;}; echo "vulnerable"' aCommand
* env : The command that executes the command in the given(=left) environment.
So, I can read the flag file with the shellshock's GID.
I execute the shellshock program with the outdated bash shell. And the command to the right of the semicolon is executed with the shellshock program's permission.