With level04 challenge we are supposed to exploit the weak permissions of flag04’s file. As always, my main objective is to get a shell under the flag04 account.
What you’ll need to know…
- Symbolic links
- Basic Unix commands
Level04
For this challenge, we have some code to analyze. By reading this code, it’s possible to understand that flag04 takes one argument by looking at the first if condition. From the analysis of the second condition, we can conclude that if our file’s name contain the word “token” (due to the strstr), it won’t be read.
From here on, you just need to feed flag04 some program that you actually have permissions…or not! Let’s hold this thought.
Once more, flag04 is a SUID program, owned by the user flag04. We’ve seen this kind of file, for example, in level 1. This means that when we are running flag04 program, we are doing it as if we were flag04 user. But because token is also owned by flag04 user, we can’t read it.
But what if… we could make a file owned by us point to this token and feed that same file to flag04 program? Of course I’m talking about symbolic links, so let’s try it. We need a folder where we can actually write, which will be level04 folder.
The option “-T” makes the symbolic link target the token file. So, basically, this will create the moveaxme symbolic link and make it point to token.
Now we have our symbolic link. Let’s feed it to flag04 and see what happens.
Neither the token file belongs to us, nor we have permissions to read it, but even that way we were able to see the content of this file. But wait, how does this help me getting a shell?
Maybe it’s the password of flag04 account…
Bingo!
Challenges completed: 5/20
Mitigation
Same advice as level00.