This level presents you with several articles from an old ezine about perl hacking.
The page script “/index.pl” is what’s processing our selection. Here it is in Burp Suite:
Objective 1 – sourcecode
I read some of the ezine issues and tried a few things to the input for “index.pl”. Eventually figured out that the trick is perl piping. The documentation says
“Perl’s open function opens a pipe instead of a file when you append or prepend a pipe symbol to the second argument to open. This turns the rest of the arguments into a command, which will be interpreted as a process (or set of processes) that you want to pipe a stream of data either into or out of. “
Given the insight that piping can lead to command injection, all we should have to do is add “|” to the beginning of the “file” variable and then we have total control! My first goal is to get the source for “index.pl” since the page doesn’t give us the link for it. ?file=|cat+index.pl should work. But that alone doesn’t get anything.
The clue here is the “file” variable itself. The script is looking up a file, but there’s no extension on it, which could mean the extension is being forced. Null byte injection is how to solve that issue.
Trying ?file=|cat+index.pl%00 works!
Objective 2 – password
Of course the first thing to try would be ?file=|cat+/etc/natas_webpass/natas30%00, but that doesn’t work! Surprise! We only get a “meeeeeep!” close to the end of the page.
Looking in the source shows the culprit:
if($f=~/natas/){
print "meeeeeep!<br>";
}It’s a simple word filter, and there are a few tricks to getting around those.
- Single Character Wildcard – The question mark is as wildcard for a single character in the Bash shell.
- Concatenated Strings – In Bash, there is something called string literal concatenation, meaning that adjacent string literals are concatenated, without any operator. An example would be
"Hello, ""World"which has the value"Hello, World".
Some examples of strings to use for the “file” variable:
|cat+/etc/na?as_webpass/na?as30%00|cat+’/etc/na”tas_webpass/nat”as’30%00
Using either of these will show the password at the bottom of the response HTML.