We might as well just try to cat the file out that we need right?
./printfile /etc/leviathan_pass/leviathan3Which tells us no..
I started out by using the ltrace command, which is a library call tracer, to see how it was determining permissions or if the file name we were not allowed to access was hard-coded.
ltrace ./printfile /etc/leviathan_pass/leviathan3We see that it uses the following:
access("/etc/leviathan_pass/leviathan3", 4)
If we look at the man page for access we see that is is used to check real user's permissions for a file. If the pathname is a symbolic link, it is dereferenced.
The first thing we should try then is to see if printfile will do multiple files - maybe the second argument will not use the access command for permissions checking.
Create a /tmp/ location to work in, create two files, and then run printfile on them.
echo "Hello" >> test1 echo "World" >> test2 ~/printfile test1 test2In this case I just got "Hello" back so we know it will work for multiple files, but it will only use the first argument found. The edge case we see here is that if a file were to be a symbolic link to the /etc/leviathan_pass/leviathan3 file and another file is created with this file name in it but has extra characters appended to it so it passes the access check, we may be able to get the password.
ln -s /etc/leviathan_pass/leviathan3 ./pass touch "pass word" ~/printfile "pass word"Which will get us the password for leviathan3.
No comments:
Post a Comment