This challenge was a lot easier than the last, but I certainly caught a few snags. Landing in the
level3 home directory, I see a few files:
PID, proclist, proclist.cc and the obvious password file.
PID is a bash script with the following contents:
#!/bin/bash
/bin/touch /tmp/bash
/bin/chmod +sx /tmp/bash
proclist is an ELF 32-bit binary. And
proclist.cc turns out being the source for proclist. Taking an initial look at the challenge, I decide to run the binary. It seems to prompt me to enter the name of the program. This is kind of ambiguous to me, so I enter the name of the binary, proclist.
 |
| proclist in action |
Interesting... it returned the process info. I know... I'm slow. Putting two and two together, I figure the name, proclist, lists processes! Intrigued by this, I decided to try some command injection.
 |
| Command injection attempt |
This didn't seem to work and greeted me with a heart "
Fatal error". Enough is enough and I crack open the source code they humbly provided.
 |
| Source code display filter |
Aha! We can see that they are filtering for common concatenating and piping chars:
;^&|><. Reading the code more leads me to my next hint, it makes a
system() call with premade commands:
/bin/ps and grep. So this is how it works, it lists the processes with
ps and then
greps for whatever program we enter. The vulnerability here happens to be in how it's calling
grep.
 |
| Vulnerable code |
Here, it's calling
grep without an absolute path. What this means is that it will search our
PATH environment variable for a binary named "grep". We can abuse this by prepending our controlled dir to the
PATH variable. And in our dir, we can have our own binary/script named "grep" which will be executed. This works because programs are searched in the order they are placed in
PATH. Now that we know how to go about this challenge, let's go ahead and complete the exploit to get the password for the next stage.
I first made a shell script named
grep in my tmp directory with the contents:
#!/bin/sh
cat /home/level4/password
I made sure to chmod it so that it's executable by anyone. Then I went ahead and modified my
PATH:
export PATH=/tmp/history3:$PATH
This prepends the directory
/tmp/history3 before the rest of the
PATH directories. Now all that is left is to run it and see what happens!
 |
| Exploited |
It seems like it worked! I've held back the password from the screenshot. On to the next!
Blooper: When I was completing this challenge, for some reason in my shell script, using
#!/bin/bash resulted in an access error. I'm not entirely sure why this happened as
/bin/sh is a symlink to
/bin/bash. Also, running
sh --version and
bash --version produce the same output. What's weird though is if you type
sh, it drops you into a
sh terminal. Maybe for backwards compatibility? I'm not entirely sure, but I'd love to know the answer!
SPOILER! Highlight below to view the password:
BashingSh
