Writeups – Ping, A Temple Jest (securityfest.ctf.rocks)

Posted on June 2, 2017 by Norman

One hour ago, I competed in the securityfest.ctf.rocks CTF. In the time I had to participate, I was able to solve two challenges. Without further ado:

Ping

The “ping” challenge was presented as a binary file, which you can download here.

We start by analyzing this in IDA, to get an overview of the program. This appears to be a simple menu-driven application, which allows a user to specify a name (to “login”) and an IP address, a simple check for the IP address, and a popen() block to call ping on the host system to ping the specified IP address, pictured below:

We can quickly notice some irregularities in the program design:

  • Firstly, 0x602060 seems to be re-used to store both the name and the IP address.
  • Secondly, the application allows you to log out, but not exit, indicating that it may be possible to poison the “state” of the application.
  • The variable at 0x602160 stores whether an IP address has been “set” or not, but does not appear to be cleared on logout.

Combining the three assumptions above gives us a viable attack scenario, as follows:

  • Log in, and set a valid IP address
  • Log out, but do not exit
  • Log in, setting 127.0.0.1;cat flag as your username
  • Running the “ping” command

This should execute a ping against localhost, but then also cat the “flag” file in the local directory. A few moments later, and we have success:

A Temple Jest

The “A Temple Jest” challenge was presented as a web challenge. Upon visiting the page, we are met with the following:

Inspecting the source code of the page, we are led to the “/render/404” URL. After a short period of fruitless exploration, I tested other URL’s, such as “/render/200”, which gave a valid response: and more interestingly, so did “/render/2+2”, giving a response like the following:

This immediately indicated server-side code execution of some sort – and given the challenge name (as well as the X-Powered-By: Express header, indicating Node.js), I made the assumption this was template injection.

We can validate this assumption by attempting to access /render/root, which returns the message “[object global] is under construction…”, confirming our suspicion. From here, we can duct tape together a payload to start reading files from the web server, uploading the results via an HTTP POST body, via curl, revealing the flag:

(I’m not sure what this challenge had to do with a memory leak… but sure, I’ll take 200 internet points).

I’d like to thank the organisers of the securityfest.ctf.rocks event for putting together a good number of challenges for everyone to enjoy. I hope that in future, I am less busy when this event is on, so I could have more time to play. See you all in the LabyREnth Challenge, and the Google Capture The Flag events!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.