After login, Go to "home / flag01" path, you can see the flag01 file. setuid is set. And when you execute the file, It prints out "and now what?".
Through a given source, it can be expected the following vulnerabilities.
[1] setresuid () function is used : It is function that changes process's uid(Real uid, Effective uid, Saved uid). It replaces Real uid, Effective uid, Saved uid value with euid(=flag01). It gives the authority of flag01, during the process is executed. After all, while the process is running, the user has the authority of flag01.
[2] /usr/bin/env command used : When echo program is used, It is influenced by environment variables(=$PATH).
So, If you execute shell program in modulated echo program, you can get shell with flag01's authority.
[1] Modify "/home/level 01/.bashrc" file for immediate reflection when running bash shell. Write export PATH="/home/level01/:$PATH" to path's first left so that It is referenced earlier than existing path.
[2] execute bash shell
[3] Now you can check that "/home/level01" path is referenced earlier than other path.
[1] Move to "/home/level01" Path
[2] Make shell script. It has functions that "/bin/bash" is executed. name it to echo.
[3] Authorize execute permission of the echo file to all users.
[4] Check shell script file echo is generated.
[1] Execute "/home/flag01"
[2] The result, shell of flag01's authority is executed. Prompt has been changed.
[3] Execute command "getflag". level01 is cleared.