- Userinput(although stripped and changed to capital letters) is used as parameter for the execution of a shellcommand.
This is a simple remote code execution. The username is altered in the given way, which limits the attackvector but does not eliminate it. The first thing one needs, is a command that consists of capital letters only. Create a file
/tmp/LEVEL15 with the following content:
Afterwards one need to apply the x-bit to that file.
The command of line 14 of the perl-script is executed using the shell. Most shells have great globbing features, command-expansions, … www.gnu.org is a great source of knowledge to this topic. In order to execute the given command, one only needs to use the globbing feature. The question is, how can one execute that command by only using capital letters without spaces? The answer is
/*/LEVEL15 or even
/*/LEV*. The shell first expands the commandline before it is executed. That leads to the command
/tmp/LEVEL15 and finally to the exploit:
wget -O /tmp/flag16 '127.0.0.1:1616/index.cgi?username=$(/*/LEV*)&password='
grep flag /tmp/flag16
Lesson / How to fix
- Do not trust userinput! There are too many ways for an attacker to execute arbitrary code.