#include <stdio.h>
int main(int argc, char **argv)
{
char buf[100];
size_t len;
char fixedbuf[10240];
FILE *fh;
char *ptr = fixedbuf;
int i;
fh = fopen("somefile", "r");
if(!fh)
return 0;
while((len = fread(buf, 1, 100, fh)) > 0) {
for(i = 0; i < len; i++) {
// Disable output modifiers
switch(buf[i]) {
case 0xFF:
case 0x00:
case 0x01:
break;
default:
*ptr = buf[i];
ptr++;
}
}
}
printf("%s", fixedbuf);
fclose(fh);
}
It looks like it's opening "somefile" and copying the contents into fixedbuf. So it seems like a typical buffer overflow vuln. However, I did notice that we can do something else here. Since the binary has suid of the level6 user, why not just have it open up the password file? We can easily do this by making a symbolic link to /home/level6/password and name it somefile. The only problem is, how do we write to our home directory if we aren't allowed to. This was the problem I was facing. Copying the binary to our tmp directory strips ownership. After some time researching, it turns out that the binary will read "somefile" from where I called it. That means I can be in in my tmp directory and invoke the binary ~/list and it will read the local somefile in my current directory. Let's see it in action.
 |
| Reading the password file |
Alternate Solution: I'd like to redo this challenge by actually exploiting the buffer. It would be good practice and hands on experience with exploitation.
SPOILER! Highlight below to view the password:
OverWritten!
