# Nebula - 12

![](https://telegra.ph/file/bbb7e33a894a883da952d.png align="center")

> *There is a backdoor process listening on port 50001.*

> *To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12.*

### **Source code**

```bash
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))

function hash(password)
 prog = io.popen("echo "..password.." | sha1sum", "r")
 data = prog:read("*all")
 prog:close()
 data = string.sub(data, 1, 40)
 return data
end
while 1 do
 local client = server:accept()
 client:send("Password: ")
 client:settimeout(60)
 local line, err = client:receive()
 if not err then
   print("trying " .. line) -- log from where ;\
   local h = hash(line)
   if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
     client:send("Better luck next time\n");
   else
     client:send("Congrats, your token is 413**CARRIER LOST**\n")
   end
 end
 client: close()
end
```

### **Getting the flag**

The comment `-- log from where ;\` caught my attention here. There seems to be not much sanitization in the code, let's try the most common example of an OS command injection.

To put it simply, we can try to provide the argument that the binary is waiting for, and by using a `;` delimiter "pipe" another one to be executed.

Example:

![](https://telegra.ph/file/d288d48b470434100f772.png align="left")

By exploiting that vulnerability, we can also get the flag:

![](https://telegra.ph/file/440dcbfe2162a116f2156.png align="left")