Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.
We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.
Recap of previous level.
It is very important that you read the recap of the previous level.
The recap has detailed explaination on how the stack works and examining the same using gdb. The solution I used is similar though.
Reading the story of level4 tells us that we’ll have to do in this challenge: find out how PATH works and how the command we enter gets executed.
PATH is an environment variable in Linux and other UNIX-like operating systems which specifies a set of directories where executable files are located. It informs the shell were to look for when a command is entered by the user. It is indeed one of the most important environment variables.
In this challenge the source code of the executable is available.
Thus on running the binary, we are not asked for any input or anything. The program just executes few commands like uname and cut. So what we can do is to change what these commands do. Like instead of having uname print the system information, we can have it print out the password to the next level.
For that first we’ll have to create an executable. Gracker allows us to create temporary files and folders in the temp directory. So we’ll need to do the following:
Create a temporary directory
Create a uname file in the directory with contents cat /home/level5/.pass
Make the uname file executable
Lets try to run this file.
It shows permission denied which is what we expected as we have level4 permissions and the to read the password we require level5 permissions.
The program /matrix/level4/level4 has the owner as level5 and thus when it executes, it executes with level5 permissions and we will be able to read the password.
We now have to change the PATH environment variable so that the shell looks in our custom directory /tmp/feignix for executables, and that too before it looks in the directory where the original uname file will be present.
Now that we have modified the PATH, all that remains is to run the level4 file
And voila! we have the password to the next level under [*] Get system information:. I have not shown the password here so that the readers try the challenge on their own.