I'm doing some challenges on the internet, and I need some help
Context: The goal is to read the content of a .password file in a directory. In this directory there is a binary (and his source code available). When we execute this binary we got the SuperUser rights (bit s with an ls).
here's the code:
int main(int argc, char ** argv)
{
char cmd[256]= "/bin/ls -la ";
if(argc!=2)
{
printf("Usage : %s <nom de dossier>\n",argv[0]);
return 1;
}
if(strlen(argv[1])<9)
{
strcat(cmd, argv[1]);
system(cmd);
}
else
{
printf("No input larger than 8 char allowed.\n");
}
return 0;
}
So it's basic I inject a command with argv[1] to cat the .password like this
argv[1] = " .| cat .password"
But the if(strlen(argv[1])<9) blocks me. I guess I must inject a null byte to decoy the strlen. Am I right ? I've tried to do that with an hexa->String converter (0x00 -> �? ) but it fails…
Thank you for your help.
Your argv[1] is of 17 character long, so the
if(strlen(argv[1])<9)
will fail and it goes to the else part.
You should increase the value 9 into 18 or more.
