by Benedikt Ferling -- Level 01


  1. Using functions that are known to be vulnerable!
  2. Read the manual!

The given program uses the internal function system(const char *command); to execute a command. Refering to this function uses /bin/sh -c to execute the given command. If a relative name is used, /bin/sh -c searches within the paths - given by the environment-variable PATH - for a command that matches that name. That means one can modify the PATH-variable, and executes its own implementation of the relative command. This custom command can be a shellscript or a binary.


Note line 17 from the code.

17 system("/usr/bin/env echo and now what?");

It uses system(const char *command); to execute the command /usr/bin/env echo and now what?. One can edit the environment-variable PATH, and run his own echo. Create the file /tmp/echo and write the following content to it.


In addition make the file executable and edit the PATH-variable:

chmod +x /tmp/echo

Executing the command leads us to the flag.



You can add any commands to the shellscript - they will be run as user flag01.

Lesson / How to Fix

  1. Do not use functions that are known to be vurlnerable! Using absolute paths will not help either – see, section Notes for more details.
  2. Read the manual! As this wargame will show on other levels too, reading the documentation of used functions is essential if one wants to programm with security in mind.

The intention of the program is not clear to me. A possible fix is using the function printf without using userinput, i.e. the fix string “/usr/bin/env echo and now what?”. Having userinput, leads to other problems like buffer-overflows or formatstring-overflows.

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19