Hi there i'm stuck in a privillege escalation ctf. I found the above script in c and i can understand that it takes as input a config.json file with some arguments. One of the args is fhcrefrpergcnffjbeq that in rot13 is the supersecretpassword encoded. In the same folder i found also the compiled a.out. So i guess i have to make a config.json file with some args and run the compiled a.out. Thank you in advance!
Code:
#include<stdio.h>
#include<stdlib.h>
#include<ctype.h>
#include<json-c/json.h>
#include<string.h>
#include<unistd.h>
#defineBUFLEN2048
char *encrypt(const char *ptxt, size_t len)
{
char *ctxt = calloc(len + 1, sizeof(char));
for (int i = 0; i < len; i++) {
ctxt =
((isalpha(ptxt)) ? (tolower(ptxt) < 'n' ? ptxt + 13 : ptxt - 13) :
ptxt);
}
return ctxt;
}
int main(int argc, char **argv)
{
FILE *fp;
char buffer[BUFLEN];
struct json_object *jsonData;
struct json_object *jsonCmd;
struct json_object *jsonArgs;
struct json_object *jsonSecret;
int flag = 0;
fp = fopen("config.json", "r");
if (fp) {
fread(buffer, BUFLEN, 1, fp);
fclose(fp);
jsonData = json_tokener_parse(buffer);
if (json_object_object_get_ex(jsonData, "cmd", &jsonCmd)
&& json_object_object_get_ex(jsonData, "args", &jsonArgs)
&& json_object_object_get_ex(jsonData, "secret", &jsonSecret)) {
const char *cmd = json_object_get_string(jsonCmd);
size_t argsLen = json_object_array_length(jsonArgs);
const char *pwd = json_object_get_string(jsonSecret);
char **argvList = calloc(argsLen + 2, sizeof(char *));
argvList[0] = cmd;
for (int i = 0; i < argsLen; i++) {
argvList[i + 1] =
json_object_get_string(json_object_array_get_idx(jsonArgs, i));
}
char *ctxt = encrypt(pwd, strlen(pwd));
if (strcmp(ctxt, "fhcrefrpergcnffjbeq") == 0) {
setgid(1001);
setuid(1000);
if (execv(argvList[0], argvList) < 0) {
perror("execv");
}
}
free(ctxt);
free(argvList);
}
json_object_put(jsonData);
} else {
printf("Missing File!");
}
}