Skip to content

Nebula Level12: A Newbie’s Approach

Level12 shows again the problem of input sanitization, demonstrated on one small Lua program. As usual, let’s try to obtain a shell under flag12 account.

 

What you’ll need to know…

  • Lua programming language

 

Level12

First time using Lua, here. I knew about this programming language, but never had the opportunity to try it, although, it was (is 🙂 ) on my TODO list.
So, we have a small program listening on port 50001. When you connect to it, it will ask for a password, hash it and try to match it against a hard coded hash.

Overview
In order to calculate the hash, the program resort on the popen function, which will run a shell command. I’m going to solve this one quickly, using the trick applied in the last exercise. I’ll place the SUID program and its compiler in the /tmp directory and make the program compile it.

commands

In this last image, I make use of chaining commands. The reason is because the command being executed will be “echo password | sha1sum”, so I fed something to the echo and ended that command with “;” separator,  in order to execute more commands. I made the flag12.lua execute my bash script that compiles the SUID program and I commented the rest of the original command, using the “#” symbol. The result of this execution can be found on the next image.

SUID

Now, we just need to execute this program, which is owned by flag12 and will run under the flag12 account, instead of level12.

Result level12

There you go!

Challenges completed: 13/20

 

Mitigation

Once again, we can see the nefarious outcomes of passing input directly from a user to a program, without sanitization.

From what I read, there are some implementations of SHA1 in Lua, but in any case, if you want to make a system call in order to compute the hash, ensure that no negative outcome will rise and, most important, test it!

 

Walkthrough

 

Further Reading

Published inNebula

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *