1. Challenge Information
-
Category: Web
-
Difficulty: Easy
-
Challenge Description / Prompt:
A Lua online executor
2. TL;DR Solution Summary
There’s a secret function that can execute os command that can be used to read flag.txt
3. Exploitation
-
The app allows user to execute Lua codes
-
My initial guess is to use
os.execute()function to run some shell commands, but when I try it, returns an error suggesting that the os module is deliberately removed from the environment (Lua includes os module by default) -
Lua stores modules in
_Gvariables, so i write a for loop to loop through all modules in the environment:for k, v in pairs(_G) do print(k, type(v)) end -
The app returned list of modules, one interesting entry is
S3cr3t0sEx3cFun function -
Since it’s a function, my guess is that it behave the same as os function, where it takes shell command as it input
-
I use it to traverse the file system, and then retrieve the flag using
print(S3cr3t0sEx3cFun(”cat ../flag”))