Introduction
We are given a setuid binary owned by notesreader_pwned, and its source code.
#define _XOPEN_SOURCE
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <crypt.h>
#define NOTES "notes.txt"
#define ENV_AUTH "AUTH"
#define PASSWORD "42Oz6uCfSR.SI"
int main(void)
{
char *auth;
FILE *notes;
int c;
if ((auth = getenv(ENV_AUTH)) == NULL ||
strcmp(crypt(auth, PASSWORD), PASSWORD) != 0) {
printf("Restricted access !\n");
} else if((notes = fopen(NOTES, "r")) == NULL) {
printf("Fail...\n");
perror("fopen");
} else {
printf("Reading notes :\n");
while ((c = fgetc(notes)) != EOF) {
printf("%c", c);
}
fclose(notes);
}
return 0;
}
If the hash of the environment variable is 42Oz6uCfSR.SI, the program will output the contents of notes.txt
The rest of this writeup is restricted.
enter access token →