Skip to content

Security Engineering coursework that delves into the intricacies of vulnerable programs, requiring the adept exploration and exploitation of their weaknesses to execute the "l33t" command and progress through ascending levels of difficulty.

Notifications You must be signed in to change notification settings

tylersupersad/security-engineering-exploits

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

Security Engineering Exploitation Coursework

KCL Security Engineering coursework encompasses 10 challenges (lev1 to lev10), each increasing in difficulty and residing in its directory on the virtual machine at /var/challenge/levelX. In each directory, there is a vulnerable program with its corresponding source code. Starting with lev0 access, the objective is to exploit each challenge to progress to the next level. Successful exploitation should lead to the execution of the special command "l33t" (full path: /usr/local/bin/l33t). Upon executing "l33t" with the correct privileges, a confirmation message will be received, indicating an elevation in access privileges (added to a higher group).

security-engineering-scoreboard

Level 01

The level 01 program is an authentication mechanism designed to grant access to a shell only if the contents of two specified files are identical. The comparison is performed using the "diff" command, which typically compares the contents of two files and outputs the differences.

status = system("/usr/bin/diff /var/challenge/level1/.secret ~/.secret > /dev/null");

In the vulnerable code segment, it uses the system function to execute the diff command.

  • /usr/bin/diff: The path to the "diff" command, responsible for comparing files.
  • /var/challenge/level1/.secret: The path to the first file, located in the system's challenge directory.
  • ~/.secret: The second file's path, where the tilde (~) is intended to represent the user's home directory.

Level 01 Vulnerablity Breakdown

The vulnerability stems from the program's reliance on the tilde symbol, where malicious actors can exploit this trust to redirect the file comparison towards unintended files, potentially within their control. This manipulation introduces an environment attack vulnerability, enabling unauthorized access and facilitating privilege escalation.

Level 02

The 2.c program is designed to perform a sequence of operations involving the creation, content writing, brief waiting period, execution, and removal of a script file (script.sh). The program follows these steps sequentially, intending to execute a script contained in script.sh.

The vulnerability in 2.c arises from a critical race condition, specifically within the temporal window between script creation and execution. The susceptible portion of the code is illustrated below:

for (i = 0; i < 5; i++) {
    printf(".");
    fflush(stdout);
    sleep(1);
}
printf(" starting script\n");
execl("/bin/sh", "sh", "-p", path, (char *) 0);

Level 02 Vulnerability Breakdown

The program introduces a time gap by employing a for loop that waits for five seconds before initiating the execution of script.sh (on line 31). During the five-second interval, an adversary could inject malicious commands into the script, leading to unauthorized code execution upon execution by the program. This lack of synchronization or locking mechanisms makes the program susceptible to unauthorized content manipulation during this critical time window.

Level 03

The program (3.c) is designed to execute binaries (cat or ls) within the /devel/bin directory based on user input. It performs security checks on the provided command and dynamically allocates memory to create a command path. The program is intended to run within the /var/challenge/level3/devel/bin directory.

The vulnerability lies in the insufficient sanitization of user input when constructing the command path. Despite security checks to prevent certain characters, the program is susceptible to a path traversal attack due to the lack of comprehensive input validation.

Level 03 Vulnerability Breakdown

An attacker can manipulate input by introducing ../ sequences, allowing navigation up the directory tree. Calculating the necessary traversal steps, the attacker identifies the number of levels to reach the root ("/") and access a target directory outside the intended scope, such as /usr/local/bin/l33t.

Exploitation Scenario

  1. The attacker calculates that it takes five levels up to reach the root.
  2. They craft input to prompt the program to execute a binary outside the intended directory: ./3 ../../../../../usr/local/bin/l33t.
  3. The program, lacking proper input validation, constructs and executes the manipulated command.
  4. As a result, the attacker successfully runs the l33t binary outside the intended directory, demonstrating a path traversal exploit.

Coursework Evaluation

Grade: 95.00/100.00

About

Security Engineering coursework that delves into the intricacies of vulnerable programs, requiring the adept exploration and exploitation of their weaknesses to execute the "l33t" command and progress through ascending levels of difficulty.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published