reddit hackernews mail facebook facebook linkedin

Exploit Exercices, Nebula - level01

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag01.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys types.h="">
#include <stdio.h>

int main(int argc, char **argv, char **envp)
  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");

This program has been compiled and the executable is available in /home/flag01.

Note that it has the famous suid bit again:

Exploit Exercises Nebula Level01

The goal here is to inject or execute “something” (ie. a shell) by overriding the system command echo. Luckily the program uses /usr/bin/env which means that it will be sensitive to the environment of the current user including the PATH variable.

So the first point is to provide our own echo command:

Exploit Exercises Nebula Level01

Then add the current directory in the PATH list:

Exploit Exercises Nebula Level01

And finally, run the program:

Exploit Exercises Nebula Level01