August 20, 2016

Nebula Level01 solution





After login, Go to "home / flag01" path, you can see the flag01 file. setuid is set. And when you execute the file, It prints out "and now what?".

Through a given source, it can be expected the following vulnerabilities.

[1] setresuid () function is used : It is function that changes process's uid(Real uid, Effective uid, Saved uid). It replaces Real uid, Effective uid, Saved uid value with euid(=flag01). It gives the authority of flag01, during the process is executed. After all, while the process is running, the user has the authority of flag01.

[2] /usr/bin/env command used : When echo program is used, It is influenced by environment variables(=$PATH).

So, If you execute shell program in modulated echo program, you can get shell with flag01's authority.




[1] Modify "/home/level 01/.bashrc" file for immediate reflection when running bash shell. Write export PATH="/home/level01/:$PATH" to path's first left so that It is referenced earlier than existing path.

[2] execute bash shell

[3] Now you can check that "/home/level01" path is referenced earlier than other path.




[1] Move to "/home/level01" Path

[2] Make shell script. It has functions that "/bin/bash" is executed. name it to echo.

[3] Authorize execute permission of the echo file to all users.

[4] Check shell script file echo is generated.




[1] Execute "/home/flag01"

[2] The result, shell of flag01's authority is executed. Prompt has been changed.

[3] Execute command "getflag". level01 is cleared.