0

I have the following file

-rwxr-sr-x 1 root reader 15555 janv. 1 00:00 reader
-rw-r----- 1 root reader    65 janv. 1 00:00 flag.txt
drwxr-x--x 2 root reader  4096 janv. 1 00:00 dir

Inside dir, I have the file

-rw-r--r-- 1 root reader janv. 1 00:00 dir/file1

The executable reader open and reads file1 . The content of file1 is a simple string, and I know that with the dirty cow exploit I can write to f1 even if I don't have writing rights.

Thus, is there a way to write a program that execute commands upon being read? Like if I could change the content of file1 c for a type of cat flag.txt , I would be able to access flag.txt since I would be reading it from reader .

JavaDumbell
  • 215
  • 2
  • 11
  • 1
    Not to rain on the parade, but "dirty cow" was fixed in 2018. See: https://en.wikipedia.org/wiki/Dirty_COW – Craig Estey Mar 10 '21 at 01:26
  • @CraigEstey this is most likely an environment in which the security patches for dirty cow have been reverted on purpose, or just haven't been applied. It's common for CTF training websites. – Marco Bonelli Mar 10 '21 at 01:33
  • 1
    What about using the vulnerability to write to the reader executable, replacing the reference to dir/file1 with a reference to flag.txt? – Tony Mar 10 '21 at 04:51
  • As @MarcoBonelli stated, the person who did this exercise probably didn't intend it to be solved by using dirty cow (otherwise it's a really stupid exercise). What you should do instead is find a way to trick the `reader` program to read `flag.txt` instead of `dir/file1.txt`. First thing that comes to mind : go to `/tmp`, create a `dir` directory, create a symlink in it pointing to the flag file, run the reader from there and see what happens. Also, you have an SSH access, you can definitely get a copy of this binary and try to reverse it. – ShellCode May 24 '21 at 14:23

0 Answers0