KCL Security Engineering coursework encompasses 10 challenges (lev1 to lev10), each increasing in difficulty and residing in its directory on the virtual machine at /var/challenge/levelX. In each directory, there is a vulnerable program with its corresponding source code. Starting with lev0 access, the objective is to exploit each challenge to progress to the next level. Successful exploitation should lead to the execution of the special command "l33t" (full path: /usr/local/bin/l33t). Upon executing "l33t" with the correct privileges, a confirmation message will be received, indicating an elevation in access privileges (added to a higher group).
The level 01 program is an authentication mechanism designed to grant access to a shell only if the contents of two specified files are identical. The comparison is performed using the "diff" command, which typically compares the contents of two files and outputs the differences.
status = system("/usr/bin/diff /var/challenge/level1/.secret ~/.secret > /dev/null");In the vulnerable code segment, it uses the system function to execute the diff command.
/usr/bin/diff: The path to the "diff" command, responsible for comparing files./var/challenge/level1/.secret: The path to the first file, located in the system's challenge directory.~/.secret: The second file's path, where the tilde (~) is intended to represent the user's home directory.
The vulnerability stems from the program's reliance on the tilde symbol, where malicious actors can exploit this trust to redirect the file comparison towards unintended files, potentially within their control. This manipulation introduces an environment attack vulnerability, enabling unauthorized access and facilitating privilege escalation.
The 2.c program is designed to perform a sequence of operations involving the creation, content writing, brief waiting period, execution, and removal of a script file (script.sh). The program follows these steps sequentially, intending to execute a script contained in script.sh.
The vulnerability in 2.c arises from a critical race condition, specifically within the temporal window between script creation and execution. The susceptible portion of the code is illustrated below:
for (i = 0; i < 5; i++) {
printf(".");
fflush(stdout);
sleep(1);
}
printf(" starting script\n");
execl("/bin/sh", "sh", "-p", path, (char *) 0);The program introduces a time gap by employing a for loop that waits for five seconds before initiating the execution of script.sh (on line 31). During the five-second interval, an adversary could inject malicious commands into the script, leading to unauthorized code execution upon execution by the program. This lack of synchronization or locking mechanisms makes the program susceptible to unauthorized content manipulation during this critical time window.
The program (3.c) is designed to execute binaries (cat or ls) within the /devel/bin directory based on user input. It performs security checks on the provided command and dynamically allocates memory to create a command path. The program is intended to run within the /var/challenge/level3/devel/bin directory.
The vulnerability lies in the insufficient sanitization of user input when constructing the command path. Despite security checks to prevent certain characters, the program is susceptible to a path traversal attack due to the lack of comprehensive input validation.
An attacker can manipulate input by introducing ../ sequences, allowing navigation up the directory tree. Calculating the necessary traversal steps, the attacker identifies the number of levels to reach the root ("/") and access a target directory outside the intended scope, such as /usr/local/bin/l33t.
- The attacker calculates that it takes five levels up to reach the root.
- They craft input to prompt the program to execute a binary outside the intended directory:
./3 ../../../../../usr/local/bin/l33t. - The program, lacking proper input validation, constructs and executes the manipulated command.
- As a result, the attacker successfully runs the
l33tbinary outside the intended directory, demonstrating a path traversal exploit.