December 28, 2017

Nebula level09 write-up

description of Nebula level09 write-up

It says that the wrapper wraps the same php file as above.




initial state of Nebula level09 write-up

flag09 is the wrapper file with SUID is set to lend permission for flag09.php.

flag09.php is an echo program with two parameters. The first parameter is the file path, which opens the file and prints its contents.




vulnerability of Nebula level09 write-up

PHP's preg_replace() function is vulnerable about command injection. Here, this function finds a string of the form [email xxxxx] in $contents and changes the xxxxx to the return value of spam() function. The "/e" flag is used. This has a feature that recognizes the second argument as php code and executes it.

\n means backreference in regular expression. Here, \2 means to select the second group among the groups filtered by the regular expression. That is xxxxx.

※ Learn more regular expression(Link)




get flag at Nebula level09 write-up

Since the return value of spam() is used, [email system(getflag)] is simply treated as a string as above image. Therefore, it should be packaged so that it can be recognized by code.

The identified packaging methods are as follows.

[email ${@system(getflag)}]
[email {${system(getflag)}}]
[email {${exec(getflag)}}]

※ This is part of code injection attack. Do you know about it all(Link)?



success get flag at Nebula level09 write-up

The flag obtained successfully.