Thread: Soc Gdt
View Single Post
Old 02-27-2012, 05:34 AM
HelpDeskHustler's Avatar
HelpDeskHustler HelpDeskHustler is offline
Join Date: Mar 2007
Posts: 2,699
Default Re: Soc Gdt

Originally Posted by marvin-martian View Post
Looked interesting, kept reading and...nope. Not for me haha.
Haha, it's been pretty easy so far -- considering how I've never performed these exploits before. It's not nearly as hard as notpron, because the puzzles are actually documented.

The first and second puzzle are ridiculously easy IMO and just require cleverness. I got lucky on the 3rd puzzle as it actually requires a bit of hexadecimal math and calculations -- I just guessed well. The 4th requires a bit more math and has me stuck trying to figure out how many characters I need to put my code in the right spot.

Hint for the first one: the vulnerable code is:
which is the equivalent of using a terminal to do:
$ date
Since the system uses an environmental variable "PATH" to resolve where the "date" program is, you can exploit that by changing the "date" that it decides to call -- perhaps one that gives away sensitive information:

echo /home/level02/.password
The idea is that the executable is setuid (level02), which means when you (level01) run it, it gives the executable the privileges of level02 to run. Administrators sometimes do this to give people very limited access, but as you can see -- doing it incorrectly is very dangerous. If you are careless, you can accidentally call, and in turn execute, code that you would not want to run, but a malicious intruder would love for you to run.

Continued level01 hint to solution:

Finding a place to write your code is a bit annoying, but you should put it in the tmp folder that they give you and make note of where it is, you won't be able to "ls" to find it. Changing the PATH variable is a cake walk and will allow you to run malevolent code quickly:
$ PATH=/tmp/weirddirectory:$ PATH
-- but without the space between $ and the second PATH... forums are scrubbing my code and won't let me type "$p" followed by "ath".
Reply With Quote