<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-WoC75fPg22A/V-ZecIoKk6I/AAAAAAAAAMg/3rnHDCNZAIEft__04bRFIQ1FYs_QgTR6wCLcB/s1600/Nebula_level02_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-WoC75fPg22A/V-ZecIoKk6I/AAAAAAAAAMg/3rnHDCNZAIEft__04bRFIQ1FYs_QgTR6wCLcB/s1600/Nebula_level02_1.jpg" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
□ Aim : Execute getflag command with flag02 account and check the message "You have successfully executed getflag on a target account"</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
□ Vulnerability : Refer the previous post(Nebula level02 hint)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
□ Source code interpretation</div>
<div style="margin-left: 1em;">
<div style="text-align: justify;">
○ The asprint function stores the value of USER environment variable to the buffer variable</div>
<div style="text-align: justify;">
○ The system function executes the command "/bin/echo USER is cool"</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
□ Solving strategy</div>
<div style="margin-left: 1em;">
<div style="text-align: justify;">
○ Utilizing the SetUID, use flag02's authority when the program is executed</div>
<div style="text-align: justify;">
○ Utilizing the environment variable, execute the getflag command</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-LLwtQbJSHno/V-ZecLf9WUI/AAAAAAAAAMk/6dMDkCJdUMwyGlaZ8PsfV28qkZVUwoS-QCLcB/s1600/Nebula_level02_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-LLwtQbJSHno/V-ZecLf9WUI/AAAAAAAAAMk/6dMDkCJdUMwyGlaZ8PsfV28qkZVUwoS-QCLcB/s1600/Nebula_level02_2.jpg" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you move to /home/flag02 and execute ./flag02, you can check the result like the upper image.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Insert "dummy;getflag" value to USER environment variable. Due to the semicolon, It is separated into two sentences.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-fxYinyNDups/V-ZecOBVVpI/AAAAAAAAAMc/6uZnHFroKLkSUU6hPjxWnsXnPttwPSHmgCLcB/s1600/Nebula_level02_4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-fxYinyNDups/V-ZecOBVVpI/AAAAAAAAAMc/6uZnHFroKLkSUU6hPjxWnsXnPttwPSHmgCLcB/s1600/Nebula_level02_4.jpg" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Like the upper image, if you execute the flag02, the echo command prints the dummy string. Then the getflag command on the right of the semicolon is executed.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Clear</div>
hiveblocks