One hour ago, I competed in the securityfest.ctf.rocks CTF. In the time I had to participate, I was able to solve two challenges. Without further ado:
Ping
The “ping” challenge was presented as a binary file, which you can download here.
We start by analyzing this in IDA, to get an overview of the program. This appears to be a simple menu-driven application, which allows a user to specify a name (to “login”) and an IP address, a simple check for the IP address, and a popen() block to call ping on the host system to ping the specified IP address, pictured below:
We can quickly notice some irregularities in the program design:
- Firstly, 0x602060 seems to be re-used to store both the name and the IP address.
- Secondly, the application allows you to log out, but not exit, indicating that it may be possible to poison the “state” of the application.
- The variable at 0x602160 stores whether an IP address has been “set” or not, but does not appear to be cleared on logout.
Combining the three assumptions above gives us a viable attack scenario, as follows:
- Log in, and set a valid IP address
- Log out, but do not exit
- Log in, setting 127.0.0.1;cat flag as your username
- Running the “ping” command
This should execute a ping against localhost, but then also cat the “flag” file in the local directory. A few moments later, and we have success:
A Temple Jest
The “A Temple Jest” challenge was presented as a web challenge. Upon visiting the page, we are met with the following:
Inspecting the source code of the page, we are led to the “/render/404” URL. After a short period of fruitless exploration, I tested other URL’s, such as “/render/200”, which gave a valid response: and more interestingly, so did “/render/2+2”, giving a response like the following:
This immediately indicated server-side code execution of some sort – and given the challenge name (as well as the X-Powered-By: Express header, indicating Node.js), I made the assumption this was template injection.
We can validate this assumption by attempting to access /render/root, which returns the message “[object global] is under construction…”, confirming our suspicion. From here, we can duct tape together a payload to start reading files from the web server, uploading the results via an HTTP POST body, via curl, revealing the flag:
(I’m not sure what this challenge had to do with a memory leak… but sure, I’ll take 200 internet points).
I’d like to thank the organisers of the securityfest.ctf.rocks event for putting together a good number of challenges for everyone to enjoy. I hope that in future, I am less busy when this event is on, so I could have more time to play. See you all in the LabyREnth Challenge, and the Google Capture The Flag events!