First and foremost, I have advanced a little in my SETUID problem. (kind of)
Apparently I was being dumb and forgot to use setuid to make my "effective uid" into my "real uid".
However, calling setuid() does not change the "real uid". Moreover, it doesn't even give an error. (return is 0)
Here is the code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (void)
{
int real = getuid();
int euid = geteuid();
printf("real uid: %d\n", getuid());
printf("effective uid: %d\n", geteuid());
int error = setuid(euid);
printf("setuid response : %d\n", error);
printf("real uid: %d\n", getuid());
printf("effective uid: %d\n", geteuid());
printf("\n");
setuid(real);
return 0;
}
It returns...
setuid: 1001
effective uid: 1002
setuid response : 0
setuid: 1001
effective uid: 1002
What could be the problem here? :/
Second of all, I still can not make the log-in work properly. ):
I placed an "echo ash" and an "echo bash" inside every ".ashrc" and ".bashrc", respectively.
When logging in as "tc" it loads the .ashrc file in /home/tc... twice. I get two printings of "ash".
Also, I get all the aliases defined in ".ashrc", so it's pretty clear the file is being executed.
When I log in as "root", "attacker_1" or "victim_1", I do not get any "ash" or "bash" printing.
I don't get any of aliases either, so it's clear no file is actually being loaded.
What's even weirderer is that the user "victim_1" tries to access "/usr/bin/tty" (and returns a permission denied error)
The user "attacker_1" does not try this. ("attacker_1" does not have access to busybox either, so this would give an error)
"victim_2" and beyond load similar to tc (they open the "ashrc" file... twice) and also try to get "/usr/bin/tty".
Could this be a problem of badly configured consistence on my part?
system() calls /bin/sh, so it sounds like you didn't replace it with bash. tce-loading bash does not make it /bin/sh.
When running
"ls -l /bin/*sh" I get the following results after booting up:
lrwxrwxrwx 1 root root 7 Mar 19 2018 /bin/ash -> busybox
lrwxrwxrwx 1 root root 7 Mar 19 2018 /bin/bash -> /tmp/tcloop/bash/usr/local/bin/bash
lrwxrwxrwx 1 root root 7 Mar 19 2018 /bin/fdflush -> busybox
lrwxrwxrwx 1 root root 7 Mar 19 2018 /bin/sh -> bash
Doesn't that make Bash the default SHELL?