Exploit-Exercises Nebula level02
wargamesThere is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the
level02
account with the passwordlevel02
. Files for this level can be found in/home/flag02
.
level2.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
char *buffer;
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}
Simply hijack USER with your system call. The man pages states that secure_getenv()
should be used to avoid set-user-ID programs from accidentally trusting the environment.