Root me: Bash — System 1

In this post, we solve one of the “Root me” challenges called “Bash — System 1”. We have a binary file with SUID bit and the C code to understand the binary.

Code:

#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(void) 
{
    setreuid(geteuid(), geteuid());
    system("ls /challenge/app-script/ch11/.passwd");
    return 0;
}

This code basically prints the content of the file /challenge/app-script/ch11/.passwd . And, ls command relies on the system paths to run the command. So, it looks like we can try to change system path information.

First, I will try to set an alias for the ls command.

Adding alias

Lastly, I will change the $PATH environment variable and try again. I will copy the cat command to the /tmp folder and rename it.

After we change the $PATH, we could print the content of the .passed file.

If you want to solve this challenge, please click here.