The MCPA competitive hacking team, also known as the Hammer of Thor (HoT), competes in private and public competitions on a regular basis in order to enhance individual technical abilities across the MCPA member base. HoT competes during specified events as directed by the Team Captain.
This is a solution guide to the Vortex Level 02 at overthewire. This write-up was created on 21 October 2015.
The prompt hints at “create a special tar file”, ok we are going to be working with tar files. Looking at the source code below we see that /bin/tar is executed with execv.
Lets log into the server and take a look at the permissions vortex2 runs at and the permissions of the password file.
That is good the program runs with vortex3 permissions and the password can be opened by vortex3.
Methodology
Establish connection
Get shell PID
Run program to create tarball with the password inside and be able to open it with the permissions of vortex2
Open tarball and get password
Cleanup
Establish connection
Standard connection used.
Get shell PID
NOTE:Did not need to actually get PID, through testing actually found out that execv does not evaluate $$ like bash does and just processes it as a normal character. I have left this in to show flaw in thought process.
Since it is hard coded that the name of the file will be /tmp/ownership.\$\$.tar; the $$ in the file name is the decimal process ID of the invoked shell
The goal is to run this program that creates the tarball but make sure that when created it assigns the permissions of vortex2 instead of the invoking permissions of vortex3. To do this lets look at the man page for tar. Based on the options we should set the –mode with ‘a+rw’