Link to the challenge: ELF32 - System 1
Okay, let's start with it.
The challenge says "Try to find your path young padawan". Hum, it probably means it will be related to path.
The documentation provided ("Dangers of SUID Shell Scripts"), suggests that we will probably need to use the access of the program to execute some commands.
Let's open the WebSSH terminal.
We find a ./ch11 program. Let's check it's permissions:
ls -al
total 24
dr-xr-x--- 2 app-script-ch11-cracked app-script-ch11 4096 Aug 11 2015 .
drwxr-xr-x 14 root root 4096 Nov 17 2015 ..
-r--r----- 1 app-script-ch11-cracked app-script-ch11-cracked 14 Feb 8 2012 .passwd
-r-sr-x--- 1 app-script-ch11-cracked app-script-ch11 7160 Aug 11 2015 ch11
-r--r----- 1 app-script-ch11 app-script-ch11 153 Aug 11 2015 ch11.c
The permission of ./ch11 seems to be -r-sr-x--- and is owned by app-script-ch11-cracked. Let's check what it means.
This website explains that the 's' in the permissions means that the program will run with the permissions of the owner, not the user running it.
So it seems pretty good for us. This program is owned by app-script-ch11-cracked, which we assume have permission to read the .passwd that contains our flag, and it runs with the SUID flag. Perfect.
Let's have a look at the code in ch11.c now:
#include <stdlib.h>
#include <stdio.h>
/* gcc -m32 -o ch11 ch11.c */
int main(void)
{
system("ls /challenge/app-script/ch11/.passwd");
return 0;
}
The program is using a system call to list the .passwd file we're interested in.What we would like to have is cat instead of ls, so we could display the file.
So let's do it. What we need to do first, is to use symbolic links to create a version of ls that redirect to a cat command.
A little ln --help help us to figure it out how to use it.
The command ln -s /bin/cat /tmp/ls will then create a symbolic link of /bin/cat to /tmp/ls.
So now, if we do /tmp/ls ./ch11.c it should display our file. Good. But our program doesn't call /tmp/ls, it calls ls.
So how does it works ?
When the program will call ls, it will look at his environment variables to look for this command. Environment variables are defined for the whole system and are persistent after a reboot.
This variable we're interested in is called PATH. It contains multiple paths of directories that contain binaries (e.g. /bin, /sbin, etc...). This variable is the reason that we don't need to type the full path of each command every time (like /bin/ls, /bin/cat) but just the command, because the terminal will automatically look for them the in the directories listed in the PATH variable.
What we want to do, is put our /tmp path in it, and before all the other paths, so when the program will look for the ls command, it will check into our /tmp directory first and find an ls file. It will not check if this is a symbolic link or not, it will just execute it. So our command will virtually become /tmp/ls /challenge/app-script/ch11/.passwd, which is really /bin/cat /challenge/app-script/ch11/.passwd thanks to our symbolic link. And as you probably remember, this command will be executed with the permission of app-script-ch11-cracked, because it has been started from ch11 which has this permission.
So in order to add our /tmp to the PATH, we will need the command export. Here is a link that can help you. But remember, our path should be the FIRST in the PATH variable, otherwise some other directories might contains the ls command, and the one you created won't be used.
I let you look around to figure it out how to do it, but it's pretty simple. You should now have all the elements you need to complete this challenge.
Feel free to let me some comments or message if you still have some problems, or any suggestion or criticism.
Thank you, and see you soon for another challenge.
Muchas gracias por la explicacion :)
ReplyDelete