本文介绍了修改程序我不是所有者的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

对于面向安全网站,我有包括开裂的应用程序是一个挑战。
这是该类别的第一个挑战,我必须承认我有过一次在这个没有经验(和可悲的是没有文件是在挑战的链接)。

For a website oriented on security, I have a challenge which consist in cracking an application.It's the first challenge of that category, and I must admit I have no experience at all in this (and sadly no documentation is linked in that challenge).

所以在这里我不要求的答案,但更多的方式来找到它。

So here I'm not asking for the answer, but more about a way to find it.

挑战

我使用SSH连接到一台机器,而进入这个文件夹:

I connect using SSH to a machine, and get into this folder :

binary1@challenge02:~$ ls -la
total 24
dr-xr-x--x  2 binary1        binary1        4096 mai    4  2013 .
dr-xr-xr-x 14 root           root           4096 mai    4  2013 ..
-r-sr-x---  1 binary1cracked binary1        8059 mai    4  2013 binary1
-r--r-----  1 binary1        binary1         121 mai    4  2013 binary1.c
-r--r-----  1 binary1cracked binary1cracked   14 févr.  8  2012 .passwd

我的用户binary1,我的目标是读.passwd

My user is binary1, and my goal is to read .passwd

Binary1文件由binary1cracked用户所拥有,作为.passwd,所以我认为它可以读取.passwd文件。
我看看binary1的来源;

Binary1 file is owned by binary1cracked user, as for .passwd, so I think it can read the .passwd file.I take a look at the source of binary1 ;

binary1@challenge02:~$ cat binary1.c
#include <stdlib.h>
#include <stdio.h>

int main(void)
{
        system("ls /challenge/binary/binary1/.passwd");
        return 0;
}

有我想用来替换 LS
但我显然不能,因为我没有这个文件的写权限。

There I'd like to replace the ls by cat.But I obviously can't since I don't have write privilege on this file.

我坚持没有什么从这里做的想法。
我想到了启动程序,把它挂在某些时候,和修改内存更改 LS 但我不知道如何做到这一点。

I'm stuck without an idea about what to do from here.I thought about launching the program, have it hang at some point, and modify the memory to change the ls into a cat but I have no idea how to do this.

我是良好的道路?如何做到这一点有什么建议?

Am I on the good path? Any suggestions on how to do this?

感谢。

推荐答案

由于 binary1 为setuid binary1cracked并调用系统,你应该能够调用 binary1 与修改 PATH ,所以做任何事情,用户binary1cracked可以做。例如,提供自己的 LS版本,读取.passwd文件,并把这个 LS 到您的自定义路径。

Since binary1 is setuid binary1cracked and invokes system, you should be able to invoke binary1 with a modified PATH and therefore do anything that user binary1cracked can do. For example, supply your own version of ls that reads the .passwd file and place this ls into your custom PATH.

使用bash,那么你可以通过在提示符下调用这样的命令提供的自定义路径

With bash you can supply a custom PATH by invoking a command like this at the prompt

 $ PATH=/my/custom/path ./binary1

这篇关于修改程序我不是所有者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-12 06:55