Nebula Level 02

Nebula 02

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?

asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
printf("about to call system(\"%s\")\n", buffer);
system(buffer)

flag02-backup

We have control of the $USER variable. We can chain /bin/getflag by prefixing $USER with the semi-colon; This ends the echo command prematurely, and the system will continue to execute the rest of our string.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s