Level02
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.
1 #include <stdlib.h>
2 #include <unistd.h>
3 #include <string.h>
4 #include <sys/types.h>
5 #include <stdio.h>
6
7 int main(int argc, char **argv, char **envp)
8 {
9 char *buffer;
10
11 gid_t gid;
12 uid_t uid;
13
14 gid = getegid();
15 uid = geteuid();
16
17 setresgid(gid, gid, gid);
18 setresuid(uid, uid, uid);
19
20 buffer = NULL;
21
22 asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
23 printf("about to call system(\"%s\")\n", buffer);
24
25 system(buffer);
26 }
Solution
This is similar to the previous level. Here it will execute "/bin/echo [string] is cool" and all we need to do is somehow force it to run getflag. Ok slightly different tactic here:
# USER=";getflag" # ./flag02
And that will do it! I could have put a ; after getflag, but it is not strictly necessary since getflag ignores any input.