Let's start another challenge from Nebula machine and see what's our target this time.
There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01.
Firstly, from the code, we know that /usr/bin/env will execute a program with the current enviroment. It includes a $PATH variable, which stores information where programs can be found. That way we can change the $PATH to some other folder, containing echo script. Then it will run the getflag program, just like in the previous level.
In addition, setuid bit is set, so it will run as the owner flag01. Let's start from creating a tmp directory, which will be our fake one.
Now we are able to create fake PATH using export command, and then create the fake echo program.
Don't forget about the execute permissions.
And we're ready to go, and run this vulnerable program.
Another challenge completed!