Level12 shows again the problem of input sanitization, demonstrated on one small Lua program. As usual, let’s try to obtain a shell under flag12 account.
What you’ll need to know…
- Lua programming language
Level12
First time using Lua, here. I knew about this programming language, but never had the opportunity to try it, although, it was (is 🙂 ) on my TODO list.
So, we have a small program listening on port 50001. When you connect to it, it will ask for a password, hash it and try to match it against a hard coded hash.
![Overview](wp-content/uploads/2018/06/Overview.png)
In order to calculate the hash, the program resort on the popen function, which will run a shell command. I’m going to solve this one quickly, using the trick applied in the last exercise. I’ll place the SUID program and its compiler in the /tmp directory and make the program compile it.
![commands](wp-content/uploads/2018/06/commands.png)
In this last image, I make use of chaining commands. The reason is because the command being executed will be “echo password | sha1sum”, so I fed something to the echo and ended that command with “;” separator, in order to execute more commands. I made the flag12.lua execute my bash script that compiles the SUID program and I commented the rest of the original command, using the “#” symbol. The result of this execution can be found on the next image.
![SUID](wp-content/uploads/2018/06/suid-1.png)
Now, we just need to execute this program, which is owned by flag12 and will run under the flag12 account, instead of level12.
![Result level12](wp-content/uploads/2018/06/result_level1.png)
There you go!
Challenges completed: 13/20
Mitigation
Once again, we can see the nefarious outcomes of passing input directly from a user to a program, without sanitization.
From what I read, there are some implementations of SHA1 in Lua, but in any case, if you want to make a system call in order to compute the hash, ensure that no negative outcome will rise and, most important, test it!