← back

basic2

W3Challs·pwn·easy

Introduction

We are given a setuid binary owned by basic2_pwned, and its source code.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

#define MAX    3
#define ARG    "cat /home/basic2/flag"

int main(short argc, char **argv)
{
        char *names[] = {"strlen", "atoi", "printf", "puts"};
        void (*reachable_functions[])(char *) = {strlen, atoi, printf, puts};
        void (*unreachable_functions[])(char *) = {system};
        short i, index = 0;

        setresuid(geteuid(), geteuid(), geteuid());

        for (i = 1; i < argc; i++) {
                index += strlen(argv[i]);
        }

        if (index <= MAX) {
                (reachable_functions[MAX-1])("Calling ");
                (reachable_functions[MAX-1])(names[index]);
                (reachable_functions[MAX-1])(".\n");
                (reachable_functions[index])(ARG);
        } else {
                (reachable_functions[MAX])("Out of bounds !\n");
        }

        return 0;
}

Based on the length of the user's input, a function is called with the argument "cat /home/basic2/flag".

The rest of this writeup is restricted.

enter access token →