Task 1: command injection

The term injection attack refers to a wide variety of program flaws related to incorrect handling of input data: the attacker injects a malicious payload so to affect the flow of execution of the program.

Command injection

Consider for example the following C function of program myping

void ping(char *ip) {
    char buf[MAX_SIZE];
    snprintf(buf, MAX_SIZE, "ping -c1 %s", ip);


  • buf  is a string composed by appending the string  ip  passed as parameter to "ping -c1 " , through snprintf  (notice that snprintf  is safe for what concerns buffer overflow, as it limits the dimension to the produced string to MAX_SIZE-1, always adding the null-terminator 0x00);
  • buf  is passed to system , which executes the program ping as if it where run from the shell. The system  function is considered extremely risky, especially when its input is originated from an untrusted source, since it can be subject to command injection attacks.

Do not recompile the program, an executable with appropriate permissions is already installed in /usr/sbin . So you can execute it by simply issuing myping . In particular, the program has the setuid flag set, that executes it with the privileges of its owner (root): any subcommand that is executed by the myping program is run as root.

~ $ ls -al /usr/sbin/myping 
-rwsr-xr-x    1 root     root         19128 Nov 28 21:52 /usr/sbin/myping

Exploit a command injection attack in order to print the content of /etc/shadow . The password for task 2 is the password salt of user rookie  in /etc/shadow . The salt is the string delimited by dollar symbols after $6$ and before the password hash:  rookie:$6$ SALT $ HASH

Notice that /etc/shadow  is not readable by user rookie . So this is an example of privilege escalation through command injection.

~ $ whoami
~ $ cat /etc/shadow
cat: can't open '/etc/shadow': Permission denied