Skip to content

Latest commit

 

History

History
70 lines (40 loc) · 3.85 KB

README.md

File metadata and controls

70 lines (40 loc) · 3.85 KB
Raw

Level03

Once again we are given a mysterious file:

image

Let's learn more about it:

image

We see that it has the SUID bit set. A file with SUID always executes as the user who owns the file, regardless of the user passing the command. In this case the owner of the file is flag03.

As the user level03 I can borrow the priviliges of flag03 when executing this file. This can be potentially exploited so we'll keep it in mind.

However when we run it nothing too exciting happens

image

I tried giving it different input values but the output was always the same. Unfortunately we aren't provided with the source code. So some reverse engineering will be necessary.

As an example of good practice, the process of reversing a program first needs to start with proper identification. Let's start with level03@SnowCrash:~$ file level030 image

It is a 32-bit ELF file-type. ELF files are native executables on Linux platforms. When we try to use cat on binary files we get gibberish at best and a blue-screen at worst. But these files might still contain valuable human readable text. So how do we see them?

By using the strings command:

image

The strings are listed in order from the start of the file. And we see that this program simply runs echo Exploit me and echo is located in /usr/bin/env, how do we exploit this?

Well we can write a script called echo and make it run that perhaps?

level03@SnowCrash:~$ vim /tmp/echo

#!/bin/sh
/bin/sh

Also don't forget to give it the necessary permissions: level03@SnowCrash:~$ chmod 777 /tmp/echo (execute permission would be enough by itsef too)

image

This script will simply invoke a new shell. We'll soon see how that becomes useful. Now we will change the enviroment variables to trick the program into running this before the default echo command.

image

The PATH variable contains a list of directories the system checks before running a command. Updating the PATH variable will enable you to run any executables found in the directories mentioned in PATH from any directory without typing the absolute file path.

We will add the /tmp directory at the beginning of our PATH so that it will be checked first. level03@SnowCrash:~$ export PATH=/tmp:$PATH

image

Let's run level03 and see what happens.

image

Okay, what happened?

image

We got reverse shell 🎉 level03 runs with the priviliges of user flag03, so we ended up starting a new shell as flag03. We can simply run getflag from here.

image

image

We could have made our script run getflag and be done with it but it's more fun this way ~