This next challenge is a little bit more tricky than some of the previous ones. There’s a lot more code involved, but it’s not too bad.
In the flag07 home directory, you’ll find the configuration for a simple http server, thttpd.conf. Inside, you’ll find that it’s running an HTTP server on port 7007 as the flag07 user. This is where the perl script that is provided comes in.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
You can now browse to this script by going to http://
1 2 3 4
The perl script takes a parameter named “Host”, and pipes it into the ping command. Because of how poorly the perl script was written, we can inject more commands in there. To make it easy, I made a quick HTML document to assist, so I didn’t have to do the encoding of spaces and symbols.
1 2 3 4 5 6 7
Now I can open that html file in my browser of choice, and when I submit, it’ll automatically do all the encoding for me, so I can just worry about the injection.
In addition to the html page, I also modified my level03.c from a prior post, to make it more generic. I saved this file as /tmp/bash_id.c:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
This modified source file now takes a parameter of the user id you want to impersonate. I want to impersonate the flag07 user, so I checked out the /etc/passwd file.
Now I know that flag07 is also user 992.
I opened the html file that I made, and in the textbox typed:
When I clicked the submit button, it sent the final command of:
It makes the ping program have incorrect usage, thus ending quickly. It then compiles my newly written bash_id.c script, and places the executable in the /home/flag07 folder, and marks it executable and SUID. From here, it was just as simple as executing that program with the 992 parameter, and running “getflag”.
1 2 3