Skip to content

Nebula Level01: A Newbie’s Approach

Published by MOVEAX on July 17, 2022

Still under the SUID programs category, level01 makes use of another trick in order to be solved, the manipulation of environment variables.

What you’ll need to know…

  • Use ln command
  • Environment Variables
  • Other basic Unix commands

Level01

If we analyze the code of level01 program, one of the first things that I notice is the use of a C function, system, and although it doesn’t receive input from the user, it’s still exploitable. Time to run the flag01 program.

Flag01

This output is (obviously) caused by the system function, more specifically by the “echo and now what?”. But how about the “/usr/bin/env”? Imagine that you have multiple programs in your system called echo. Which one will be executed? The answer is the first one that appears in the PATH variable. This is ensured by the “/usr/bin/env”.

To find out where the echo is located, run the command “which echo”.

which

Then, cross-reference the path resultant with the paths in the PATH variable.

path

Notice the folder that contains the echo program, it’s almost the last one. If we were able to put an echo program in some other folder that appears before /bin, that would be the one that would run. But we don’t have write permissions on any of those…

So the solution is to append to the beginning, a location where we actually can write, /home/level01.

printenv

Now, my goal is to get a shell, so I’ll create a little C program called echo.

echo.c

I compile the program using the command “gcc -o echo echo.c” and now I have a little program that gives me a shell.

Before I run the flag01 let’s recap. We have a program called flag01 that will call the first echo program it finds in the environment variable PATH. The first entry in this variable is /home/level01, inserted by us, and this folder contains an echo program written also by us, which will give us a shell.

Let’s check the current user, run the program and get the flag.

Solution of level01

Another solution, and if you didn’t want a shell, would be with symbolic links. Once more, we can add /home/level01 to the PATH and in this folder, place a symbolic link called echo which points to /bin/getflag. So, when you run the flag01 program, the following happens…

Another Solution for level01

Challenges completed: 2/20

Mitigation

Same advice as level00.

Walkthrough

https://youtube.com/watch?v=hxjN-xASoaw%3Fstart%3D54%26feature%3Doembed

Further Reading

Published inNebulaUncategorized