0

I'm trying to exploit a program which has the set-guid bit enabled. The program is simple it contains the following (stage.c): 

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main(int argc, char **argv)
{
  gid_t egid = getegid();
  setregid(egid, egid);

  system("cat /etc/passwd");
  return 0;
}

I need to call a program called "grade" with the group of the given program. I can't create new files. What can I do?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ervin Cosic
  • 1
  • 1
  • You can't create new files **anywhere** at all? Can you rename files? – domen Mar 29 '19 at 16:28
  • No I can't. I have to use the privilege of stage to call grade and to change the directory to /home/stage3/ – Ervin Cosic Mar 29 '19 at 16:37
  • Did you try aliasing cat to grade and setting path to be the directory that contains the grade program? – user Nov 04 '19 at 14:39
  • Never mind, looks like `system()` doesn't keep alias commands. Unless you have a symlink called `cat` that points to your grade program you'll need to find some other way to make it call grade explicitly. – user Nov 04 '19 at 14:51

0 Answers0