Commit 91267ee
Changed files (1)
exploit_exercises
nebula
level01
exploit_exercises/nebula/level01/readme.md
@@ -29,3 +29,19 @@ int main(int argc, char **argv, char **envp)
system("/usr/bin/env echo and now what?");
}
```
+# Solution
+From the [system(3)](http://linux.die.net/man/3/system) man page, `system` should not be used in a
+program that sets UID values. The [reason](http://stackoverflow.com/a/6268850) for this stems from
+the fact that a malicious user may set environment variables to other values, permitting nefarious
+actions to "subvert system integrity".
+
+Examining the line
+
+> `system("/usr/bin/env echo and now what?");`
+
+note that there are three "tokens", or distinct processable parts of the string: `/usr/bin/env`,
+`echo`, and `and now what?`. Of these, the `echo` token uses a relative path in order to load. To
+subvert this, modify the PATH variable (i.e. `PATH=~/exploit:$PATH`) to include another directory.
+In this directory, create a file named `echo` with the contents `/bin/bash`. Export the new PATH
+variable, and then run the program. Note that the shell prompt changes from `level101@nebula:...`
+to `flag01@nebula:...`.