Today I’m going to show you how to exploit a vulnerability in shellschock challenge from pwnable.kr.
Firstly we’ll have to connect via ssh to the server hosting this challenge.
From now on, we’re ready to play with the challenge. First thing I notice is that flag is only accessible by user shellshock_pwn, other than my user called shellshock. But luckily, the binary is also using shellshock_pwn GID. Then, following my usual steps, I decide to check out the source code.
In order to check what setresgid, setresuid and getegid are I decided to look at the man pages for these functions. Here’s the quick walkthrough.
In the other words, this program will run with the group ID of the owner, which is shellshock_pwn. Just as the ID of the flag. That’s good news.
Now let’s look at the challenge name once again. Shellshock is the name of the vulnerability disclosed on 24 September 2014. It allows an attacker to execute arbitrary commands on the vulnerable versions of bash.
Vulnerability can be tested with the following command.
We can use the snippet to perform our own shellshock on this vulnerable binary. Firstly, let’s modify this command to view the flag for us.
Export is only used to save the variable, and then run the binary - just like that.