{"id":123,"date":"2012-07-28T18:35:06","date_gmt":"2012-07-29T01:35:06","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=123"},"modified":"2012-07-28T18:35:06","modified_gmt":"2012-07-29T01:35:06","slug":"blackbox-level-3-step-back","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=123","title":{"rendered":"Blackbox Level 3 – Step Back"},"content":{"rendered":"

Today we’re going to be looking at level 3 of the Smash The Stack<\/a> wargame, Blackbox<\/a>. \u00a0As usual, the password will be stripped from the page and replaced with Y’s. \u00a0Now let’s move onto the game by ssh’ing into the server as level 3.<\/p>\n

Upon arrival the first thing we should do is look for our vulnerability and any source code, if available. \u00a0A quick ls of the home directory rewards us with a level4 SUID program called proclist, as well as a readable file called proclist.cc. \u00a0Examining further we can see that proclist.cc is (most likely) the source file:<\/p>\n

level3@blackbox:~$ more proclist.cc
\n#include <iostream>
\n#include <string><\/p>\n

int main(int main, char **argv)
\n{
\nstd::string command;
\nstd::string program;<\/p>\n

std::cout << “Enter the name of the program: “;
\nstd::cin >> program;<\/p>\n

for(unsigned int i = 0; i < program.length(); i++) {
\nif(strchr(“;^&|><“, program[i]) != NULL) {
\nstd::cout << “Fatal error” << std::endl;
\nreturn 1;
\n}
\n}<\/p>\n

\/\/ Execute the command to list the programs
\ncommand = “\/bin\/ps |grep “;
\ncommand += program;
\nsystem(command.c_str());<\/p>\n

return 0;
\n}<\/p><\/blockquote>\n

It is always important to understand a file when looking for a vulnerability, and today provides no exception. \u00a0Analyzing the code we can see that the program does a few things. \u00a0First, it gets input from the user using cin’s >> operator and puts it into the variable “program”. \u00a0Next, it searches through the user input stored in “program”, making sure it doesn’t consist of any of the characters ; ^ & | > or < \u00a0If one of the characters is found in the input string, the program exits. \u00a0Afterwards, the program appends the input string in “program” to the end of the command string with value “\/bin\/ps |grep “. \u00a0Finally the entire command string is sent to a system call via a non-mutable C string provided by the c_str() function.<\/p>\n

Thinking about the flow of the program, it seems like the system call might be where we want to make our attack. \u00a0After all, user input in put into the system call. \u00a0So, if we can use maliciously formed input, maybe we can control what they system call does. \u00a0To do this, we must note a few things. \u00a0One is that the program uses cin >> and therefore we cannot include any white-space in our input string. \u00a0Second, in Linux we can separate shell or system call commands via a semi-colon. \u00a0Third, in Linux shell there are three quotes one can use, single quote, double quote and backtick. \u00a0Single quotes don’t resolve variables and only additional single quotes need to be escaped. \u00a0Double quotes allow for resolving variables to their values. \u00a0Lastly, backticks execute the command string inside of them.<\/p>\n

First, let’s look at point two. \u00a0We could potentially cause multiple command execution (such as \/bin\/sh) if we could include a semi-colon in our user input string. \u00a0If the system call ran as system(“\/bin\/ps |grep ;\/bin\/sh”) we would get a shell. \u00a0Unfortunately, as we noted when reading through the program, semi-colons are one of the terminating characters for the program. \u00a0Thus, we must look for a different approach as this program is attempting to validate user input, good!<\/p>\n

-Backtick Attack:<\/h3>\n

While the user input\u00a0sanitization checks for a few characters, it doesn’t check for the backtick. \u00a0Observing this and knowing that the backtick causes execution of the command string within, we may be able to cause the program to run a command. \u00a0However, looking back at point one, our backtick’ed string cannot contain any spaces. \u00a0Thus, we will have to write a little shell script to do what we want. \u00a0In this case, we want to have the program get the contents of the password file for the next level and save it into a file we can read. \u00a0This is due to the fact that we won’t be able to access a shell directly (even by executing \/bin\/sh)\u00a0since the execution is only being used as a parameter to grep and will close immediately. \u00a0However, an executed shell script can write to a file and quit. \u00a0Let’s look at the shell file we’re going to use:<\/p>\n

level3@blackbox:\/tmp\/.t$ more catpass
\n#!\/bin\/sh
\n\/bin\/cat \/home\/level4\/password > \/tmp\/.t\/p<\/p><\/blockquote>\n

As stated before, the shell script runs cat on the password file for the next level and saves it to a file of our choosing. \u00a0Now let’s set up our files, don’t forget to set the correct privileges:<\/p>\n

level3@blackbox:\/tmp\/.t$ chmod 755 catpass
\nlevel3@blackbox:\/tmp\/.t$ touch p
\nlevel3@blackbox:\/tmp\/.t$ chmod 777 p<\/p><\/blockquote>\n

Now we’re ready to run the program and provide it with our malicious string.<\/p>\n

level3@blackbox:\/tmp\/.t$ \/home\/level3\/proclist
\nEnter the name of the program: `.\/catpass`
\nUsage: grep [OPTION]… PATTERN [FILE]…
\nTry `grep –help’ for more information.
\nlevel3@blackbox:\/tmp\/.t$ more p
\nYYYYYYYYY<\/p><\/blockquote>\n

There we have it, that is one way to do Blackbox Level 3. \u00a0Remember the backticks cause the contents to be executed. \u00a0Here we saw the system call ran ps and piped it’s results to grep. \u00a0grep then executed with a variable and that variable was executed (because of the backticks), causing the password to be ripped. \u00a0Finally grep finished, leading to the program’s exit. \u00a0Moral of the story is to provide better user input validation and sanitization. \u00a0Additionally, it’s usually a bad idea to directly make a system call on data which is under the control of users.<\/p>\n

 <\/p>\n

-Path Attack:<\/h3>\n

In most, if not all, modern day operating systems there exists something called the path. \u00a0The path is a list of directories in which the operating system will look for programs with the same name of programs run by the user (when the user doesn’t provide a full path to the file). \u00a0In the program which we are exploiting today, there exists a vulnerability based on this PATH variable.<\/p>\n

In our program when the system call is executed, two commands are run by default. \u00a0The first is \/bin\/ps. \u00a0This command is provided as a full path and thus cannot be easily re-directed. \u00a0The second command however, is simply grep. \u00a0Since a full, or relative, path wasn’t provided for the file, the system will look in the PATH environmental variable for directories to look for a file with the same name. \u00a0If we can re-write the PATH and we can cause the system call to execute a program called grep, but in the directory of our choosing. \u00a0Using this we can put our password-acquiring shell script in our chosen directory with the name grep, and watch it be executed. \u00a0Let’s go a head and setup our files, similar to the backtick attack above:<\/p>\n

level3@blackbox:\/tmp\/.t$ more grep
\n#!\/bin\/sh
\n\/bin\/cat \/home\/level4\/password > \/tmp\/.t\/p
\nlevel3@blackbox:\/tmp\/.t$ chmod 755 grep
\nlevel3@blackbox:\/tmp\/.t$ touch p
\nlevel3@blackbox:\/tmp\/.t$ chmod 777 p<\/p><\/blockquote>\n

Now let’s re-write the PATH to be set to the current directory, where our fake grep program is:<\/p>\n

level3@blackbox:\/tmp\/.t$ export PATH=.\/<\/p><\/blockquote>\n

Finally we can run the program and see what happens:<\/p>\n

level3@blackbox:\/tmp\/.t$ \/home\/level3\/proclist
\nEnter the name of the program: a
\nlevel3@blackbox:\/tmp\/.t$ \/bin\/cat p
\nYYYYYYYYY<\/p><\/blockquote>\n

There we have it again, Blackbox Level 3 through PATH exploitation. \u00a0Remember if you don’t provide a full file name, the operating system will look for it in your PATH, something under the control of the user.<\/p>\n","protected":false},"excerpt":{"rendered":"

Today we’re going to be looking at level 3 of the Smash The Stack wargame, Blackbox. \u00a0As usual, the password will be stripped from the page and replaced with Y’s. \u00a0Now let’s move onto the game by ssh’ing into the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,6,4],"tags":[48,13,49,28,11,47],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/123"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":4,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":127,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions\/127"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}