The Server was running SunOS, if I do remember correctly. Though that makes it a tad more obsolete than the Windows 95 machines.
In any case, when logged into the Sun via good olde Telnet, we puny students were running in the shell's restricted mode. One of the goals of this process was to prevent us from having the Full Power of
Though it prevented writes to $PATH so that I couldn't add "allowed" commands, rbash didn't prevent reading from it. I noticed that
~/binwas part of the list, and of course we had write access to our home directories through some GUI on the Windows machines. (Whatever provided that access also allowed for setting permission bits.) I can't really remember how that all worked, but I quickly studied the Internet and put together a shell script in Notepad that would simply run an unrestricted shell. This was the ever-so-subtly named power.sh.
Then I discovered that Notepad writes "CRLF" line-endings, and the extra "CR" characters were preventing the script from running. I searched the Internet again; clearly, I needed
dos2unix. But the code I found was implemented as another shell script that just called
tr -d '\r'. Being rather ignorant, I went home and rewrote power.sh on my Linux machine there. I tested it at home, but it was still torture to wait for the next day in the lab to try it out.
It worked. I felt like the biggest genius on the whole campus, having clearly outsmarted the Guys Who Were Paid to Secure the Server.
But other than that, it was actually kind of anticlimactic. Being so ignorant, I didn't really have a use for the Full Power of
I also didn't bother to tell the administrators. According to the policy, merely attempting to circumvent any restriction for any purpose, including but not limited to reporting the vulnerability, was grounds for having your access revoked. And as a computer science major, that was just a senseless risk to take.
Need more pointless rambling? Follow me on twitter.