In this challenge, we’re again provided with the source code to the vulnerable program. Only this time, they’re not loading the “echo” program from the environment’s path.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
What I did initially notice here, is that the “USER” variable is being called directly from the environment. This makes it very similar to the previous challenge. I luckily got this one on my first try.
1 2 3 4 5 6
What we’re doing here, is injecting code into the echo command. This, like the last challenge, makes a bash script at /tmp/level02 which will ignore any other parameters. It then marks it executable so we can actually execute it. Then it executes the bash script.
Often times in situations like this, the bash script wouldn’t be needed, but since the “ is cool” is following the execution, it needs to handle that. A bash script lets it get ignored, where passing it as a parameter to /bin/bash would try to execute it.
I’m guessing there may be an easier way than creating the bash script. Maybe a way to comment out the rest of the line? I’m not sure, but I know this method worked great for me.