Task: KringleCon Kiosk

Opening the Kiosk presented another interactive terminal session. Pasted image 20220904214138

Main Menu: Pasted image 20220904214148

Map: Pasted image 20220904214157

 Code of Conduct and Terms of Use:  Pasted image 20220904214205

Print Name Badge: kringlecon-kiosk1

 ________
< borari >
 --------
  \
   \   \_\_    _/_/
    \      \__/
           (oo)\_______
           (__)\       )\/\
               ||----w |
               ||     ||

Can I just enter in a sub-command as my name and have it evaluated? Pasted image 20220904214325

Yeah? Pasted image 20220904214334

Oh, stdout is being redirected to the cowsays bubble… Pasted image 20220904214344

Can I just redirect it to stdin? Whoops, think I needed 0>&1. Pasted image 20220904214354

No, I needed 1>&0. Pasted image 20220904214402

I grabbed the welcome.sh source code and saved it.

Ok, there is a binary that has the suidbit set… I tried overflowing it, couldn’t. Couldn’t dump it or base64 encode it for retrieval either. Pasted image 20220904214415

Opt has all the files for the kiosk menu. Pasted image 20220904214428

Oh cool, there's a directory that wasn't available in the main menu. Pasted image 20220904214437

Not sure what mailbox.txt is. Pasted image 20220904214446

      _________
    .`.        `.
   /   \ .======.\
   |   | |______||
   |   |   _____ |
   |   |  /    / |
   |   | /____/  |
   | _ |         |
   |/ \|.-"```"-.|
   `` |||      |||
jgs   `"`      `"

Or plant. Pasted image 20220904214513

  Hi, my name is Jason the Plant!
  ( U
   \| )
  __|/
  \    /
   \__/ ejm96

Reindeer.cow shows why the kiosk code was vulnerable, it's just an <<EOC, echo in. Pasted image 20220904214536

Next: objective-2