What you’ll need to know…
As stated in the main page of this challenge, level16 has a script running on port 1616. We can see that the script is composed by two subroutines, login and htmlz. Also, it’s possible to understand from this script that the username will be converted to all uppercase and everything after a space will be stripped away.
We can exploit the program by taking advantage from the line 14, where a shell command is executed. I’m going to exploit the challenge in the same way that I did for level07, I’ll make this Perl script compile a SUID program so I can get a shell under flag16 account.
You should know the SUID code by now…
To compile this C code, we must pass a tiny shell program which performs this task.
I’m keeping all the files in /tmp directory.
Now, to start exploiting this exercise you can either use curl or netcat. You can even use a file where you write your commands and then redirect the content to one of these commands. I’ll use netcat in my examples.
So, connect to the program is as simple as entering the command nc 127.0.0.1 1616. After this, the prompt will be waiting for input. Because line 11 will convert every letter to uppercase, our shell script that will compile our SUID program needs to have an uppercase name. But now the location of that file is a problem…
So our command to inject will be
`/*/COMP`. As level07, we’ll have to encode this command in hexadecimal, where the command will become %60%2f%2a%2f%43%4f%4d%50.
Our final command will be GET /index.cgi?username=%60%2f%2a%2f%43%4f%4d%50%60. Here it is.
Now, it’s just a matter of running the SUID.
Done! 3 challenges left.
Challenges completed: 17/20
Same as level07.