Level12 shows again the problem of input sanitization, demonstrated on one small Lua program. As usual, let’s try to obtain a shell under flag12 account.
What you’ll need to know…
- Lua programming language
Level12
First time using Lua, here. I knew about this programming language, but never had the opportunity to try it, although, it was (is 🙂 ) on my TODO list.
So, we have a small program listening on port 50001. When you connect to it, it will ask for a password, hash it and try to match it against a hard coded hash.
In order to calculate the hash, the program resort on the popen function, which will run a shell command. I’m going to solve this one quickly, using the trick applied in the last exercise. I’ll place the SUID program and its compiler in the /tmp directory and make the program compile it.
In this last image, I make use of chaining commands. The reason is because the command being executed will be “echo password | sha1sum”, so I fed something to the echo and ended that command with “;” separator, in order to execute more commands. I made the flag12.lua execute my bash script that compiles the SUID program and I commented the rest of the original command, using the “#” symbol. The result of this execution can be found on the next image.
Now, we just need to execute this program, which is owned by flag12 and will run under the flag12 account, instead of level12.
There you go!
Challenges completed: 13/20
Mitigation
Once again, we can see the nefarious outcomes of passing input directly from a user to a program, without sanitization.
From what I read, there are some implementations of SHA1 in Lua, but in any case, if you want to make a system call in order to compute the hash, ensure that no negative outcome will rise and, most important, test it!