What to do if you are locked in rbash
Most recently passed another interesting CTF Boston Key Party 2017 . Which we unfortunately did not win, but this is another story. And today I would like to describe the solution of one task from the pwn section is “Solitary Confinement (pwn 99)” .
Having made the connection via SSH, we immediately get into rbash .
Having looked around, it becomes clear that we do not have files available for execution, through which it would be possible to get into normal walking,:
Next, look around the system:
')
We understand that we are in the root directory! First thought - This is great! However, we look further:
Well, at least we know where the flag is. But here it is not so simple by looking at the file attributes:
We understand that this is a binary, it does not belong to us either. Since using / for executing commands is prohibited, just as changing cd is used. It was necessary to figure out how to change the PATH variable.
You can change environment variables as follows:
After careful study of the documentation for each team, you can stumble upon such an interesting fragment:
Hmm, since it is impossible to change a variable directly, try creating a link:
No errors occurred. Check the changes:
We have a flag. Task completed. If you have bash 'for example, you could run it in the same way.
Having made the connection via SSH, we immediately get into rbash .
Having looked around, it becomes clear that we do not have files available for execution, through which it would be possible to get into normal walking,:
rbash-4.3$ [tab] ! ]] builtin compgen declare echo eval fc getopts in logout pwd readonly shopt time typeset until alias caller complete dirs elif exec fg hash jobs mapfile return source times ulimit wait : bg case compopt disown else exit fi help kill popd rbash select suspend trap umask while [ bind cd continue do enable export for history let printf read set test true unalias { [[ break command coproc done esac false function if local pushd readarray shift then type unset } Next, look around the system:
')
-rbash-4.3$ pwd / We understand that we are in the root directory! First thought - This is great! However, we look further:
-rbash-4.3$ echo ./* bin dev flag lib lib64 -rbash-4.3$ echo ./bin/* rbash -rbash-4.3$ echo ./flag/* showFlag Well, at least we know where the flag is. But here it is not so simple by looking at the file attributes:
-rbash-4.3$ if [[ -r flag/showFlag ]]; then echo ok; fi -rbash-4.3$ if [[ -x flag/showFlag ]]; then echo ok; fi ok -rbash-4.3$ if [[ -G flag/showFlag ]]; then echo ok; fi -rbash-4.3$ if [[ -O flag/showFlag ]]; then echo ok; fi We understand that this is a binary, it does not belong to us either. Since using / for executing commands is prohibited, just as changing cd is used. It was necessary to figure out how to change the PATH variable.
rbash-4.3$ unset -v PATH rbash: unset: PATH: cannot unset: readonly variable You can change environment variables as follows:
- set PATH = deadbeef
- typeset PATH = deadbeef
- export PATH = deadbeef
- PATH = deadbeef
- declare PATH = deadbeef
After careful study of the documentation for each team, you can stumble upon such an interesting fragment:
declare: declare [-aAfFgilnrtux] [-p] [name [= value] ...]
Set variable values and attributes.
...
-n make NAME a reference to the variable named by its value
Hmm, since it is impossible to change a variable directly, try creating a link:
rbash-4.3$ declare -n PATH rbash-4.3$ export PATH=/flag No errors occurred. Check the changes:
rbash-4.3$ echo $PATH /flag rbash-4.3$ showFlag BKP{vimjail_is_down,_fortunately_we_have_rbash_to_save_the_day} We have a flag. Task completed. If you have bash 'for example, you could run it in the same way.
Source: https://habr.com/ru/post/324132/
All Articles