There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag02.

```c #include #include #include #include <sys/types.h> #include

int main(int argc, char **argv, char **envp) { char *buffer;

gid_t gid; uid_t uid;

gid = getegid(); uid = geteuid();

setresgid(gid, gid, gid); setresuid(uid, uid, uid);

buffer = NULL;

asprintf(&buffer, “/bin/echo %s is cool”, getenv(“USER”)); printf(“about to call system("%s")\n”, buffer);

system(buffer); } ```

As the previous level, we here have a suid executable, owned by our target flag02, who uses an environment variable USER to print a super cool message. Let’s try it:

Exploit Exercises Nebula Level02

Note the lack of filter when the environment variable is used. Usually it contains the current user login but let’s check her content:

Exploit Exercises Nebula Level02

Since environment variable can be easily altered, we can use it to call getflag:

Exploit Exercises Nebula Level02

Or anything else :

Exploit Exercises Nebula Level02