Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
40 lines (30 sloc) 1.25 KB

##Level 02 ###Introduction In orer to complete this exercise we must run the getflag command with the user flag02. We are told to exploit the below code

include <stdlib.h>
include <unistd.h>
include <string.h>
include <sys/types.h>
include <stdio.h>
 
int main(int argc, char **argv, char **envp)
{
  char *buffer;
 
  gid_t gid;
  uid_t uid;
 
  gid = getegid();
  uid = geteuid();
 
  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);
 
  buffer = NULL;
 
  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\"%s\")\n", buffer);
  
  system(buffer);
}

This code is an SUID program meaning that it is ran as a different user. In our case that user is flag02. ###Exploit The line asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); is vulnerable. The program calls echo with the environment variable 'USER'. We can set the environment variable USER to be the getflag commmand and when buffer is executed we will run our command.

If we run the command export USER=";getflag;" the system call will look like /bin/echo ;getflag; is cool. While the last command is garbage we will be able to successfully run the getflag command as the flag02 user