200 points
Category: Binary Exploitation
Tags : #picoCTF 2023 Binary Exploitation linux bash toctou
Someone created a program to read text files; we think the program reads files with root privileges but apparently it only accepts to read files that are owned by the user running it. Additional details will be available after launching your challenge instance.
The most useful hint - tag of the task toctou. It is a name of the vulnerability: toctou -> Time-of-check to time-of-use.
The owner of the flag.txt is root, also root is the owner of the program.
But program have bit s in its permissions - it means, that it runs from root: we need to trick it to open flag.txt, avoiding uid check from the program at the same time.
-
Connect via SSH to the instance. We can see, that there is one check for uid.
-
Create a file - I named it
ttt.txtand wrote123inside it. -
Create a symbol link
my_link. Let's endlessly make it point tottt.txt, then toflag.txtin a loop with following script:
while true; do ln -sf /home/ctf-player/ttt.txt /home/ctf-player/my_link; ln -sf /home/ctf-player/flag.txt /home/ctf-player/my_link; done &- Then let's endless loop, that runs
txtreaderovermy_link:
while true; do ./txtreader my_link; done- Then next events will occure:
- Program will check uid, when
my_link->ttt.txt. my_linkwill change and point toflag.txt.txtreaderwill read frommy_link- we have already bypass uid check, so we will get theflag.txt.
- Program will check uid, when
