Today i’ve learned how to does the “which” command works.
Lets see what does the which command do:
In this code it searches in $PATH which is an Unix Environmental
$PATH: Contains a colon-separated list of directories that the
shell searches for commands that do not contain a slash in their
name. Keep PATH in your mind.
So this is our question:
When you execute this program, it prints the id: the real and the
effective user and group ID.
see, system call is similar to running a command in terminal.
system() executes a command specified in string by calling
/bin/sh -c string, and returns after the command has been
completed. During execution of the command, SIGCHLD will be
blocked, and SIGINT and SIGQUIT will be ignored.
If you notice the permissions of the executable file
you could find a ‘s’ in the place of x of the owner’s
On an executable program with set-UID or set-groupID, that program
runs with the effective permissions of its owner or group.
For a directory, the set-groupID flag means that all files created
inside that directory will inherit the group of the directory.
Without this flag, a file takes on the primary group of the user
creating the file. This property is important to people trying to
maintain a directory as group accessible. The subdirectories also
inherit the set-groupID property.
So if we get a shell from this executable file, that shell will
be of level5.
We cannot solve this using buffer overflow. Since there is any
function which contains a system call to a shell. So we have to
do something else.
In STS if you have noticed we can make a file or folder only
inside the /tmp
Make a folder named sys inside /tmp and also make a file
Note: you can name the folder as your wish.
Now create a simple program which contains a system call
and it calls a sh (/bin/sh). Give any name to the program
i gave bla.c, but while compiling make an output file
Do you remember the PATH variable I’ve mentioned at the
begining of this level. Make use of it to set the path as
Then execute the level04 executable file. Now you will get
a SHELL and set the defualt PATH just immedeatly after
getting a shell. Then check the ‘id’ of the new shell. You
can find it as level 5.
Please find the password for the next level from