Nebula level 09 – Exploiting preg_replace in PHP

Share it!

preg_replace is a PHP function that uses PCRE, deprecated in PHP version 5.5.0 ( yo should use preg_replace_callback instead), its main goal is, as its name suggests, string replacement, let´s see an example :

$string = ' Ugly level';

$pattern[0] = '/Ugly/';
$pattern[1] = '/level/';

$replacement[0] = 'Tricky';
$replacement[1] = 'function';

echo preg_replace($pattern, $replacement, $string);>

Output will be «Tricky function»

Problem arises when using «e» modifier, which allow us to use native PHP functions in replace parameters, like the example in this level,

function spam($email)
$email = preg_replace("/\./", " dot ", $email);
$email = preg_replace("/@/", " AT ", $email);

return $email;

function markup($filename, $use_me)

$contents = file_get_contents($filename);

$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);
$contents = preg_replace("/\[/", "<", $contents);
$contents = preg_replace("/\]/", ">", $contents);

return $contents;

$output = markup($argv[1], $argv[2]);

print $output;

Let´s see how it works, we have set up a file in /tmp that contains 2 lines that will produce two different behaviors within the vuln function of this level, I´ve to say I had to read so many documentation regarding this, but that´s the main reason why i started these challenges, +1PHP,+1PRIVESC+1PCRE,-1preg_repplace,so funny!





First red box shows a /tmp/file we´re passing through the PHP sink function , second box shows id executed from flag09 user, that we want to escalate in, and third red box shows normal behavior of the program, note that flag09.php is executed by a binary that flag09 owns, as you can see in the above picture too.

«There’s a C setuid wrapper for some vulnerable PHP code…»

So if we are able to execute code, it will be under flag09 privileges




For last, I´ve to say I would be caught this time if some admin implemented the method I described in my last post about fsnoop


Share it!
Esta entrada fue publicada en Privilege Escalation. Guarda el enlace permanente.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *


Puedes usar las siguientes etiquetas y atributos HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>