Nebula - Level09 - Vulnerable SETUID

About

There’s a C setuid wrapper for some vulnerable PHP code. To do this level, log in as the level09 account with the password level09. Files for this level can be found in ``/home/flag09`.

Source code

<?php

function spam($email)
{
  $email = preg_replace("/\./", " dot ", $email);
  $email = preg_replace("/@/", " AT ", $email);

  return $email;
}

function markup($filename, $use_me)
{
  $contents = file_get_contents($filename);

  $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
  $contents = preg_replace("/\[/", "<", $contents);
  $contents = preg_replace("/\]/", ">", $contents);

  return $contents;
}

$output = markup($argv[1], $argv[2]);

print $output;

?>

Solution

The line $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents); contains a vulnerability in the expression "/(\[email (.*)\])/e". The /e is an argument that allows the second expression to execute [1]. Use PHP complex curly syntax with a system call in a specially crafted file to gain a shell.
Use echo [email {${system($use_me)}}] > <file name>, and then execute the program with /home/flag09/flag09 <path to file> /bin/bash.