We reached the last challenge of Nebula exercises, level19. This challenge deals with the basic way on how processes work on Linux systems.
What you’ll need to know…
- Processes on Unix
Level19
Looking at the code on the main page of level19, we quickly see something interesting, the execution of a shell.
The problem is the shell will only run if the user root started the program flag19. If we were root and ran the program, we would have a shell under the flag19 account. But we are not root or have the ability to become root. Or do we?
Quick aside note: in Linux every process has a parent. When the system fires up, init
is created by the kernel and all the processes are their children (or grandchildren and so forth and so on). Now, if we start a process (parent) that also starts a process (children) and for some reason the parent dies before the children, then it becomes orphan. In this case, init
will kind of “adopt” this orphan. Can you see why this is useful?
We can apply all this theory so we can solve this last challenge. We create a program that starts flag19, but that program needs to die before the execution of flag19 arrives at line 28.
To solve the challenge, I’ll use my SUID program.
I’ll also write the program that will call flag19 and pass to it the commands to compile my SUID program.
Now, it’s just a matter of compiling this C program with gcc -o level19 level19.c
.
Run the executable file produced by the last command and you’ll see a new one under the /home/flag19
directory.
And now, like previous challenges, it’s just a matter of running the moveaxme executable and collect the flag.
All Nebula challenges have been solved!!!
Challenges completed: 20/20
Mitigation
I’ll wait for suggestions for this one!