There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag01.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys types.h="">
#include <stdio.h>

int main(int argc, char **argv, char **envp)
  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");

This program has been compiled and the executable is available in /home/flag01. Note that it has the famous suid bit again:

Exploit Exercises Nebula Level01

The goal here is to inject or execute “something” (ie. a shell) by overriding the system command echo. Luckily the program uses /usr/bin/env which means that it will be sensitive to the environment of the current user including the PATH variable.

So the first point is to provide our own echo command:

Exploit Exercises Nebula Level01

Then add the current directory in the PATH list:

Exploit Exercises Nebula Level01

And finally, run the program:

Exploit Exercises Nebula Level01

My way to go

## Project* Find Amazon s3 buckets: `s3-buckets-bruteforce /opt/SecLists/mine/s3-buckets.txt -` if found: `s3-buckets-extractor ` * Ex...… Continue reading

« Exploit Exercices, Nebula - level02

Published on January 13, 2015

Exploit Exercices, Nebula - level00 »

Published on January 13, 2015