Hi there i'm stuck in a privillege escalation ctf. I found the above script in c and i can understand that it takes as input a config.json file with some arguments. One of the args is fhcrefrpergcnffjbeq that in rot13 is the supersecretpassword encoded. In the same folder i found also the compiled a.out. So i guess i have to make a config.json file with some args and run the compiled a.out. Thank you in advance!
Code:#include<stdio.h> #include<stdlib.h> #include<ctype.h> #include<json-c/json.h> #include<string.h> #include<unistd.h> #defineBUFLEN2048 char *encrypt(const char *ptxt, size_t len) { char *ctxt = calloc(len + 1, sizeof(char)); for (int i = 0; i < len; i++) { ctxt = ((isalpha(ptxt)) ? (tolower(ptxt) < 'n' ? ptxt + 13 : ptxt - 13) : ptxt); } return ctxt; } int main(int argc, char **argv) { FILE *fp; char buffer[BUFLEN]; struct json_object *jsonData; struct json_object *jsonCmd; struct json_object *jsonArgs; struct json_object *jsonSecret; int flag = 0; fp = fopen("config.json", "r"); if (fp) { fread(buffer, BUFLEN, 1, fp); fclose(fp); jsonData = json_tokener_parse(buffer); if (json_object_object_get_ex(jsonData, "cmd", &jsonCmd) && json_object_object_get_ex(jsonData, "args", &jsonArgs) && json_object_object_get_ex(jsonData, "secret", &jsonSecret)) { const char *cmd = json_object_get_string(jsonCmd); size_t argsLen = json_object_array_length(jsonArgs); const char *pwd = json_object_get_string(jsonSecret); char **argvList = calloc(argsLen + 2, sizeof(char *)); argvList[0] = cmd; for (int i = 0; i < argsLen; i++) { argvList[i + 1] = json_object_get_string(json_object_array_get_idx(jsonArgs, i)); } char *ctxt = encrypt(pwd, strlen(pwd)); if (strcmp(ctxt, "fhcrefrpergcnffjbeq") == 0) { setgid(1001); setuid(1000); if (execv(argvList[0], argvList) < 0) { perror("execv"); } } free(ctxt); free(argvList); } json_object_put(jsonData); } else { printf("Missing File!"); } }
