Level04 introduces command injection vulnerabilities in web applications through a Perl CGI script. This challenge demonstrates how improperly sanitized user input in web applications can lead to arbitrary command execution. The level emphasizes understanding CGI scripting, web parameter manipulation, and the dangers of using shell execution with untrusted input.
Following the established pattern, I began by examining the home directory to identify any relevant files:
ls -laThe output revealed:
-r-x------ 1 level04 level04 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level04 level04 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag04 level04 152 Mar 5 2016 level04.pl*
-r-x------ 1 level04 level04 675 Apr 3 2012 .profile*
The file level04.pl immediately stood out due to its .pl extension, indicating it was a Perl script, and more importantly, it had the SUID and SGID bits set with flag04 as the owner. This meant the script would execute with flag04's privileges.
I examined the contents of the file:
cat level04.plThe script contained:
#!/usr/bin/perl
# localhost:4747
use CGI qw{param};
print "Content-type: text/html\n\n";
sub x {
$y = $_[0];
print `echo $y 2>&1`;
}
x(param("x"));The script header and structure revealed this was a CGI (Common Gateway Interface) script. CGI is a standard protocol that enables web servers to execute external programs in response to HTTP requests, allowing for dynamic content generation.
The comment # localhost:4747 indicated that this script was configured to run as a web service listening on port 4747.
Let me break down what the Perl script was doing:
use CGI qw{param};- Imports the CGI module to handle web parametersprint "Content-type: text/html\n\n";- Sends HTTP headers required for CGIsub x { ... }- Defines a function that takes one parameterprint `echo $y 2>&1`;- Uses backticks to execute a shell commandx(param("x"));- Calls the function with the value of the HTTP parameter "x"
The critical vulnerability lies in line 4. The backticks (`) in Perl execute the enclosed string as a shell command and return the output. The script takes user input from the web parameter x, directly inserts it into a shell command without any validation or sanitization, and executes it.
The vulnerability in this script is a classic case of command injection. Command injection, also known as shell injection, is a security vulnerability that allows an attacker to execute arbitrary commands on the host operating system through a vulnerable application. This occurs when an application passes unsafe user-supplied data to a system shell without proper validation.
In this specific case, the backticks execute whatever is inside them as a shell command. On Unix-based systems, backticks or the dollar character can be used to perform inline execution of an injected command within the original command. Since the user controls the value of the x parameter, they can inject additional commands.
The script was designed to echo whatever parameter was passed to it, but because it uses backticks with unsanitized input, an attacker can break out of the echo command and execute arbitrary commands. Since the script runs with flag04's SUID privileges, any injected commands will also execute with those elevated permissions.
To exploit this vulnerability, I needed to pass a command to the CGI script that would execute getflag instead of just echoing text. The key was understanding that the backticks would execute whatever command I provided.
I used curl, a command-line tool for making HTTP requests, to interact with the web service:
curl 'http://localhost:4747?x=`getflag`'Let me explain what happens when this request is processed:
- The CGI script receives the HTTP request
- It extracts the parameter
xwhich contains`getflag` - The script constructs the command:
echo `getflag` 2>&1 - The shell first evaluates the inner backticks
`getflag` getflagexecutes with flag04's privileges and returns the password- The shell substitutes the result into the echo command
- The output is returned in the HTTP response
The exploit works because the backticks in our input are evaluated first, before the outer backticks in the script. This is how command substitution works in shell environments - inner substitutions are processed before outer ones.
Executing the curl command successfully exploited the vulnerability:
curl 'http://localhost:4747?x=`getflag`'The flag was successfully retrieved: ne2searoevaevoem4ov4ar8ap
Level04 demonstrated a critical web application security vulnerability that remains common even in modern applications. Command injection through CGI scripts represents a significant risk, particularly when combined with SUID permissions.
CGI programs run by default in the security context of the web server, and when not carefully written, can allow attackers to execute commands with elevated privileges. The vulnerability in this level existed because the script used backticks to execute shell commands with user-controlled input without any sanitization or validation.
The simplicity of this exploit - a single curl command - underscores how easily command injection vulnerabilities can be exploited when proper security measures aren't in place. This level serves as a powerful reminder that user input should never be trusted and must always be validated, sanitized, and handled with extreme caution.
Flag: ne2searoevaevoem4ov4ar8ap
Next Level: Level05