On Febuary 22nd, the Stripe company ran a straightforward 6 level CTF. The first level provides a single setuid binary and corresponding source and the task of obtaining the flag (a password to another user’s account) from a text file (/home/level02/.password) owned and only viewable by the next level’s account. In addition, we have a single directory which we can write to.
level01.c
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
printf("Current time: ");
fflush(stdout);
system("date");
return 0;
}Essentially the binary will output the date as the computer knows it through the date command. More importantly, since the command which calls date uses relative paths and the binary is setuid we can gain higher access and access our target file.
Using environment variables we can modify where system("date"); will point to. To begin we’ll create a simple script in our directory using the command echo "cat /home/level02/.password" > date Then we’ll mark it executable with chmod +x date. Now finally we’ll alter the PATH to check our directory before it checks bin. Using export PATH=/tmp/"provided_directory":$PATH we’ll add our personal directory to the PATH. Now when we run our level01 binary, we see that date no longer outputs the date, but the contents of the .password file.