18 August 2012

Exploit.Exercise.com - Nebula - Level01

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

With level01 you don't need to know about programing in C++ as much as you do about how Linux calls binary commands. So, read the blurb over at Wikipedia about the $PATH variable. The whole point in how the $PATH variable effects Linux/Unix systems is that when a command needs to be executed; Linux/Unix needs to find where it is and the $PATH variable specifies where to look.

So, skimming through the source code shown on Nebula level01, you'll see that the program runs the echo command which prints out "and what now?". But remember what you read at Wikipedia about the $PATH variable? The only way to deliberately execute a command in a specific location is to use (./) . Therefore, as you can see by the source code, the echo command isn't being deliberately executed. It is being found using the $PATH variable and executed at the first instance it is located. What if there was another echo command somewhere else that we could point the $PATH variable too? Perhaps an echo command that we created...that ran the getflag binary for us :)

To do this, we create a symbolic link from the command echo (that we created) to the target binary: 'getflag'.

First, make sure we are in /home/flag01
$ cd ~
Now, create soft simlink
$ ln -s /bin/getflag echo
Then export the $PATH to update it.
export PATH=/home/level01:$PATH
Make sure it worked
echo $PATH
Finally, run flag01
$ /home/flag01/flag01
You have successfully executed getflag on a target account