Still under the SUID programs category, level01 makes use of another trick in order to be solved, the manipulation of environment variables.
What you’ll need to know…
- Use ln command
- Environment Variables
- Other basic Unix commands
If we analyze the code of level01 program, one of the first things that I notice is the use of a C function, system, and although it doesn’t receive input from the user, it’s still exploitable. Time to run the flag01 program.
This output is (obviously) caused by the system function, more specifically by the “echo and now what?”. But how about the “/usr/bin/env”? Imagine that you have multiple programs in your system called echo. Which one will be executed? The answer is the first one that appears in the PATH variable. This is ensured by the “/usr/bin/env”.
To find out where the echo is located, run the command “which echo”.
Then, cross-reference the path resultant with the paths in the PATH variable.
Notice the folder that contains the echo program, it’s almost the last one. If we were able to put an echo program in some other folder that appears before /bin, that would be the one that would run. But we don’t have write permissions on any of those…
So the solution is to append to the beginning, a location where we actually can write, /home/level01.
Now, my goal is to get a shell, so I’ll create a little C program called echo.
I compile the program using the command “gcc -o echo echo.c” and now I have a little program that gives me a shell.
Before I run the flag01 let’s recap. We have a program called flag01 that will call the first echo program it finds in the environment variable PATH. The first entry in this variable is /home/level01, inserted by us, and this folder contains an echo program written also by us, which will give us a shell.
Let’s check the current user, run the program and get the flag.
Another solution, and if you didn’t want a shell, would be with symbolic links. Once more, we can add /home/level01 to the PATH and in this folder, place a symbolic link called echo which points to /bin/getflag. So, when you run the flag01 program, the following happens…
Challenges completed: 2/20
Same advice as level00.