Nebula Level02: A Newbie’s Approach

Nebula Level02: A Newbie’s Approach

I see level02 as a combination of the previous two exercises, level00 and level01. Let’s dig in and work through the solution.

 

What you’ll need to know…

  • Basic Unix commands

 

Level02

First, we can see that flag02 program in the /home/flag02 directory has the SUID bit set, which means that this program will run under the flag02 user.

By taking a quick look at the original code of flag02, it’s very easy to identify what is most likely the vulnerability, the system function. Actually, the vulnerability is the input validation, because the environment variable USER should be sanitized in order to remove all the punctuation.

We can also notice the program is trying to read the environment variable “USER” through the gentenv function so, from this simple code, we can infer that the program will output “*name of user* is cool”. Let’s confirm.

Run level03

Simple. Now, imagine that instead of the user’s name, USER variable had a command! This is not that straightforward.

As you are probably thinking, we can change the variable USER to something useful, but the problem is that we still have an echo command before and some text after.

So the solution for this level02 is to use chaining operators, so that USER can have multiple commands. In this case, we’ll feed garbage to the echo command, insert a useful command and comment the rest.

Here’s what I’m thinking.

Solution of level02

It’s crucial that you understand that the command being executed will be “about to call system(/bin/echo MOVEAXME;/bin/bash # is cool)“.

Let’s see what happen when we execute flag02.

level02 solved

We got a shell under flag02 user. Now, if you use the command getflag, you’ll solve the challenge.

Of course that instead of /bin/bash, you could have passed the getflag command, solving the challenge right away, but I always prefer to get the shell 😉

Challenges completed: 3/20

 

Mitigation

Same advice as level00.

 

Walkthrough

 

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *