In level01 you’re given a short code example, and asked to exploit it. After looking at the code for a short period, it was clear that the issue was in the line:
system("/usr/bin/env echo and now what?");
I’m not a C programmer, so I had to look up the other stuff, but when I realized that echo was not an explicit path, it was clearly simple that it was the exploit.
To exploit this I did the following:
In /home/flag01 I created a script named echo, with the following content:
Make the script executable with chmod +x, then run /home/flag01/flag01:
level01@nebula:~$ chmod +x echo level01@nebula:~$ /home/flag01/flag01 flag01@nebula:~$ getflag You have successfully executed getflag on a target account
Now onto Nebula Level02 when I have some time