"Command-command-command
Nebula 02 Agenda: “There is a vulnerability in the program that allows arbitrary programs to be executed, can you find it?”
Hovewer, what we have notice after code review at this stage? The essential thing is usage of “char *getenv(const char *name)” function, which get an environment variable (…obviously, thanks cap!), and returns a pointer to the corresponding value string. And the next major usage - “int system(const char *command)”. It’s executes a command specified in “*command” by calling “/bin/sh -c” command (command-command-command =)), and returns after the command has been completed.
Well, is there some clue? Definitely, the point is on replacing $USER variable value with desirable tricky command (again =)).
1 level02@nebula:~$ export USER=";getflag;"
2 #OR
3 level02@nebula:~$ export USER="&getflag;"
4 #OR
5 level02@nebula:~$ export USER="|getflag;"
6 #OR
7 level02@nebula:~$ export USER="&& getflag;"- export - set export attribute for shell variables.
- ”;” - some kind of command separator.
- “& (ampersand)” - is a builtin control operator used to fork processes. From the Bash man page, “If a command is terminated by the control operator &, the shell executes the command in the background in a subshell”.
- “&&” - Logical AND, lets you do something based on whether the previous command completed successfully
- ”|” - bitwise OR, will allow the successive command to execute if the preceding fails.
- quotes is used to escape special chars in env var value.
That’s it! The final point, execute “/home/flag02/flag02” to check out the result.
