Nebula Level15: A Newbie’s Approach

Nebula Level15: A Newbie’s Approach

Until now, level15 was the challenge that took me more time to solve. I was really stuck, because there was a lot of subjects new for me and it took me a little bit to get comfortablewith them. Level15 is the next level of level13 challenge.
Now, I’m ready to write about this exercise, so let’s dig in.

 

What you’ll need to know…

  • C language

 

Level15

When we strace the flag15, as suggested in the main page of the exercise, we are able to see that flag15 program tries to locate and access a libc.so.6 file.
We can also use the objdump command, which will show us information related to the object file flag15.

objdump_rpath
From this output, we can conclude that our program requires libc.so.6 and will try to load this library from the directory present in the RPATH, /var/tmp/flag15. Fortunately, we can write to this folder, so let’s keep this in mind. Also, if we go to this directory, we’ll find that it’s empty.
Now, if we’re going to write our own libc.so.6 shared library we need to know the functions that the program flag15 will use.

objdump_functions

I’ll create a C file, where I’ll include two of this functions. libc_start_main will contain the core code to exploit the level15 challenge. Originally, libc_start_main is a function that belongs to libc.so.6, responsible for setting up the environment for our process and, after that, call main function.

exploit.c
We’ll also need to provide a version file.

version
To compile our malicious library, just run the command gcc -fPIC -shared -static-libgcc -Wl,–version-script=version,-Bstatic -o libc.so.6 exploit.c.

If we run the flag15 program, and as we saw in the strace output, it should go look for the libc.so.6 shared library in the /var/tmp/flag15 folder, and when it does, it’ll find our malicious library.

Let’s now run the flag15 program and see what happens.

Solution level15

Solved!

Challenges completed: 16/20

 

Mitigation

First thing, and as stated before, be very careful with SUID programs. Second, there is the possibility of using a secure loader. Finally, I found this solution that can also reveal useful.

 

Walkthrough

https://www.youtube.com/watch?v=tC7e9jySIk4

 

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *