Nebula exploit exercises walkthrough – level10

The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call.

I think I can already see the problem.

Firstly, we can see that the token file we need to read out is permissioned such that level10 cannot see it:

On line x above, we have the following:

From the man page of access:

access() checks whether the calling process can access the file path‐
name.

The check is done using the calling process’s real UID and GID, rather
than the effective IDs as is done when actually attempting an operation
(e.g., open(2)) on the file.

So we check the file permissions using the real UID (level10), but then later on we do:

and open uses the effective UID, and as the executable has suid, this means flag10.

This is commonly called a time-of-use to time-of-check or TOCTOU bug (Wikipedia’s example is pretty much exactly the same issue)

If we can swap out the file between the time-of-check and the time-of-use, we should be able to send token.

First, let’s just check the program works as expected.

Setup a listening netcat on my host using:

And then run it on nebula with a file we have access to:

And we receive it at the other end, plus a little banner:

Ok – so how do we explout the race condition? The best way to swap the file about is to use symolic links again. How do we time that though? I’m fundamentally a lazy person, so let’s try and just swap out the files as quickly as we can and hope it works.

First, let’s setup a loop that flips a symbolic link from the real token to a fake one repeatedly:

The f switch on ln makes sure we overwrite the existing symbolic link. The &amp at the end puts the job into the background.

Then let’s setup the listening netcat to keep on listening rather than exit using the k switch.

And finally, let’s run flag10 repeatedly using another bash one-liner:

Go back to netcat and we have the token:

There we go – the password for flag10.

2 thoughts on “Nebula exploit exercises walkthrough – level10

  1. Permalink  ⋅ Reply

    Andrew

    April 6, 2016 at 5:44pm

    I just started going through these, thanks for your walkthroughs! I’m not sure if this on purpose, but in the /home/level10 directory, there’s a file called “x” with a bunch of blank lines and one line with what looks like a password from previous levels. I was able to log into the flag10 account with it and run getflag…

  2. Permalink  ⋅ Reply

    Giorgio Bonvicini

    June 2, 2016 at 11:56am

    Actually if you check your home folder (/home/level10) you’ll find a file called x which you can read without problems (you own it): it contains a whole lot of “new line characters”, but amongst them (line 158) there is the token! 😉

Leave a Reply

Your email will not be published. Name and Email fields are required.