Exploit Exercices, Nebula - level02

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? Files for this level can be found in /home/flag02.

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;
  
  gid_t gid;
  uid_t uid;
  
  gid = getegid();
  uid = geteuid();
  
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
  
  buffer = NULL;
  
  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

As the previous level, we here have a suid executable, owned by our target flag02, who uses an environment variable USER to print a super cool message.

Let’s try it:

Note the lack of filter when the environment variable is used. Usually it contains the current user login but let’s check her content:

Since environment variable can be easily altered, we can use it to call getflag:

Or anything else :