Introduction
In Level 11, we are provided with a Lua script that starts a server on port 5151. The objective is to exploit a security vulnerability in this script to gain unauthorized access.
Step-by-Step Guide
Step 1: Understanding the Lua Script
First, let’s examine the Lua script located in the home directory of Level 11. The script starts a server on port 5151.
Here is the content of the Lua script:
1 | #!/usr/bin/env lua |
Step 2: Identifying the Vulnerability
The vulnerability lies in the hash function, specifically in this line:
1 | prog = io.popen("echo "..pass.." | sha1sum", "r") |
The input pass is directly concatenated into a shell command without any sanitization, leading to a command injection vulnerability.
Step 3: Exploiting the Vulnerability
To exploit this vulnerability, we can inject a command to redirect the output of the getflag command to a temporary file.
When you connect to the server on port 5151, you are prompted to enter a password. Since the input is not sanitized, we can inject our payload.
Here is the exploit command:
1 | echo -e "\$(getflag > /tmp/level12flag)" | nc localhost 5151 && cat /tmp/level12flag |
Step 4: Executing the Exploit
1. Open a terminal and run the following command to connect to the server and inject the payload:
1 | echo -e "\$(getflag > /tmp/level12flag)" | nc localhost 5151 |
2. The `getflag` command's output will be redirected to `/tmp/level12flag`.
3. Next, read the contents of the file to get the flag for Level 12:
1 | cat /tmp/level12flag |
Summary
In this walkthrough, we identified and exploited a command injection vulnerability in a Lua script provided in Level 11 of the Snowcrash project. By injecting a malicious command, we were able to redirect the output of the getflag command to a file and retrieve the flag for the next level.
Feel free to reach out if you have any questions or need further clarification on any steps. Good luck with your continued learning and hacking journey!