Analyzing the source code, we can see that apart from setting all UIDs the same as EUID, level02 calls asprintf in order to dynamically build formatted data. More accurately, the format is "/bin/echo %s is cool". asprintf replaces "%s" with $USER from the environment variable.
The formatted data (held in buffer) is then passed as the argument to system().
Normally $USER holds the name of the currently logged in user, as one would expect. But we can set it to anything we want, therefore level02 is vulnerable to command injection.
Injecting commands into the vulnerable bufferTo specify another command to execute, we use ";" to separate the commands. Since we want a shell with the UIDs of flag02, as usual, we specify the next command to be sh. After that we can see from the format string that we are left with " is cool", which comes after our command. We want to ignore it, because it interferes with the command we want to inject, so we use "#" after our command, which means that everything that comes next is part of a comment and should not be considered by the shell.
Getting the flag
level02@nebula:~$ export USER='; sh #' level02@nebula:~$ /home/flag02/flag02 about to call system("/bin/echo ; sh # is cool") sh-4.2$ id uid=997(flag02) gid=1003(level02) groups=997(flag02),1003(level02) sh-4.2$ getflag You have successfully executed getflag on a target accountAnd with that we have our third flag! :)