Home Assignment 2a › hacker track › assignment2-177 Digital test Mon, 20 Apr Submit
Aryan
strcpy copies, strcat appends. Neither checks size. Then someone wrapped user input in system(). That's not a bug — that's a gift. ./level1 "whatever; escalate" and we're in. Semicolons are criminally underrated.
Aryan

See the assignment's PDF available on BrightSpace for task descriptions and submission requirements.

Level 1

1
(1) Explain what were the vulnerabilities of the target program of this level.
(2) Explain how you exploited the aforementioned vulnerabilities to get access to the next level.
Your explanations must be clear and not miss any detail. Take care that with your explanations a reader would be able to exploit the target program.
Answer 
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char* argv[]) {
    printf("=== Super cool word search engine ===\n");
    if(argc < 2) {
        printf("Usage: %s word\n", argv[0]);
        return 1;
    }
    const char* dict_scan_command = "/bin/cat /levels/level1/b.dict | /bin/grep ";
    char* command = malloc(strlen(dict_scan_command) + strlen(argv[1]) + 1);
    strcpy(command, dict_scan_command);
    strcat(command, argv[1]);
    system(command);
    free(command);
    return 0;
}

1. this program Searches a word That is found in the /levels/level1/b.dict file. It does this by running cat /levels/level1/b.dict to print out the contents and then piping that into grep {passed argument} to return the lines with the argument. It needs to append the argument to the base command. It does this by allocating memory with malloc(n), with n being the amount of bytes that the final command has , which is just the dict_scan_command string length + the argument string length of the argument that's passed.. Then in that buffer (variable p*: command), it writes the command in memory and then it appends to that buffer the argument and then it runs the argument using the system() function. . It runs this command with the permissions that the binary/ executable has, and because the SETGID bit is set, it run with the permissions of the Level1 group. This is a vulnerability because I have access to the formation of the command run using system(), which means it's run with elevated privileges, when I do not possess those privileges.

2) I exploited the vulnerability by running the following command:

./level1 "whatever; escalate"

This command passes one argument: "whatever; escalate". which is a string and a semicolon and then the 'escalate', which is just a binary in the PATH so it runs with elevated privliges.. Now, a semi-colon is basically the end of the command and whatever's behind that is a new command is also run. grep doesn't require " so the final command will be: 

/bin/cat /levels/level1/b.dict | /bin/grep whatever; escalate
Command Injection via system()
The binary builds a shell command by appending user input with strcpy/strcat, then runs it with system(). Because the binary has the setgid bit, it runs with elevated group privileges. Inserting a semicolon in the argument terminates the grep command and starts a new one — our escalation.