225 reads

Leviathan Level 2 → Level 3 | Learn Basic Exploitation Techniques

by Abhishek Singh ThakurJanuary 7th, 2020

Too Long; Didn't Read

In this post we will learn how to use a tool ltrace to exploit a program and a vulnerability in access() known as TOCTOU race (Time of Check to Time of Update) Learn how to create symbolic files in Linux using a tool called ltrace. The program calls the access function to create a symbolic link to something he doesn’t have access to. In the small time between the two calls, the file may have changed. A malicious user could substitute a. file he has access to for a. symbolic link. If pathname is a symbolic. link, it is dereferenced.

Company Mentioned

featured image - Leviathan Level 2 → Level 3 | Learn Basic Exploitation Techniques

Learn linux command by playing Leviathan wargame from OverTheWire. This wargame doesn’t require any knowledge about programming - just a bit of common sense and some knowledge about basic *nix commands.

Below is the solution of Level 2 → Level 3. In this post we will learn how to use a debugging tool ltrace to exploit a program and a vulnerability in access() known as TOCTOU race (Time of Check to Time of Update). We will learn how to create symbolic files in Linux.

Leviathan Level 0 to Level 1

Command to login is

ssh [email protected] -p 2223

and password is

ougahZi8Ta

In the directory we have a binary file printfile which can run as user leviathan3. Using this file we tried to see the password for next level using command

./printfile /etc/leviathan_pass/leviathan3

but we received an output “You cant have that file…”.

Using

ltrace

with the above command

ltrace ./printfile /etc/leviathan_pass/leviathan3

we found that access function returns

-1

, that means we do not have read permissions for the file. But we have read permission for the file /etc/leviathan_pass/leviathan2.

After running command

ltrace ./printfile /etc/leviathan_pass/leviathan2

we found that first

access

function returns

for the file means we have read permission for it. Then function

snprintf

writes a string consisting of /bin/cat and file path. Then function

system

is called which displays the content of the file.

int access(const char *pathname, int mode);

access()

checks whether the calling process can access the file pathname. If pathname is a symbolic link, it is dereferenced.

The mode specifies the accessibility

check(s)

to be performed and

specifies read permission.

On success (all requested permissions granted),

is returned. On error (at least one bit in mode asked for a permission that is denied, or some other error occurred),

-1

is returned.

int snprintf( char * restrict dest, size_t n, const char * restrict format, ... );

The

snprintf()

function is similar to

printf()

, but writes its output as a string in the buffer referenced by the first pointer argument, dest, rather than to stdout. Furthermore, the second argument, n, specifies the maximum number of characters that

snprintf()

may write to the buffer, including the terminating null character.

The return value is the number of characters (not counting the terminating null character) that would have been written if n had been large enough.

The

access

function has a vulnerability TOCTOU race (Time of Check to Time of Update). The program calls the

access()

, then it calls the

open()

. In the small time between the two calls, the file may have changed. A malicious user could substitute a file he has access to for a symbolic link to something he doesn’t have access to between the

access()

and the

open()

calls.

So we create a file symlink with symbolic link to /etc/leviathan_pass/leviathan3. But we cannot pass symlink with binary file, so we create another file a space. The name of another file is symlink space. Instead if creating two files we can create on file symlink space.

We pass symlink space with the binary file and the

access

function will accept the complete path of the file but /bin/cat will treat symlink and space as different files and it will only accept the symlink. When the

system

function is called it will output the content in the file linked by symlink.

mkdir /tmp/pc123
cd /tmp/pc123
touch symlink\ space

Command to create symbolic link

ln -s /etc/leviathan_pass/leviathan3 /tmp/pc123/symlink

Then run command

./printfile /tmp/pc123/symlink\ space

and the password is

Ahdiemoo1j

Reference : access(2) - Linux man page
Unix / Linux - File Permission / Access Modes
snprintf
How is using acces() opening a security hole?
access() Security Hole
Fixing Races for Fun and Profit: How to use access(2)

Leviathan Level 3 to Level 4
Leviathan Level 5 to Level 6

L O A D I N G
. . . comments & more!

About Author

Abhishek Singh Thakur@botman1001

Read my stories Lets have a look at my profile

TOPICS

programming #linux #unix-based-systems #over-the-wire #leviathan #debugging #exploit #programming-top-story #linux-top-story

THIS ARTICLE WAS FEATURED IN...

Join HackerNoon

Latest technology trends. Customized Experience. Curated Stories. Publish Your Ideas

Leviathan Level 2 → Level 3 | Learn Basic Exploitation Techniques

Too Long; Didn't Read

Company Mentioned

Previous Posts

Next Posts

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Leviathan Level 2 → Level 3 | Learn Basic Exploitation Techniques

Too Long; Didn't Read

Company Mentioned

Previous Posts

Next Posts

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES