The MCPA competitive hacking team, also known as the Hammer of Thor (HoT), competes in private and public competitions on a regular basis in order to enhance individual technical abilities across the MCPA member base. HoT competes during specified events as directed by the Team Captain.
Lets log into the server and take a look at the permissions vortex2 runs at and the permissions of the password file.
That is good the program runs with vortex3 permissions and the password can be opened by vortex3.
Get shell PID
Run program to create tarball with the password inside and be able to open it with the permissions of vortex2
Open tarball and get password
Standard connection used.
Get shell PID
NOTE:Did not need to actually get PID, through testing actually found out that execv does not evaluate $$ like bash does and just processes it as a normal character. I have left this in to show flaw in thought process.
Since it is hard coded that the name of the file will be /tmp/ownership.\$\$.tar; the $$ in the file name is the decimal process ID of the invoked shell
The goal is to run this program that creates the tarball but make sure that when created it assigns the permissions of vortex2 instead of the invoking permissions of vortex3. To do this lets look at the man page for tar. Based on the options we should set the –mode with ‘a+rw’