Over the past weekend, I participated in the INS’Hack CTF. This was a well executed CTF with a fairly mixed-bag of challenges. A sizeable serving of salt coming from a blind Python breakout which took a bit of brute force, but as I neared completion, was declared not working (nevertheless, this was a lot of fun, and I broadened my creative horizons a bit).
One noteworthy and excellent aspect of this CTF was a COBOL challenge: truth told, this was the first time I had ever seen COBOL. Without further ado, the writeup follows:
This challenge was presented as an low-value (IIRC) exploitation challenge, with the source code to a COBOL program provided. You can download this here. Honestly, I’m amazed Github has syntax highlighting for this.
Reviewing the challenge reveals what appears to be a straightforward buffer overflow:
02 TMPNAME PIC X(10). 02 TMPSCORE PIC 99. 02 SUBPRGARG PIC X(20). 02 SUBPRGNAME PIC X(20).
This seems triggered by the SEND-CLOUD… function?
SEND-CLOUD. IF SUBPRGNAME = SPACE MOVE "send" TO SUBPRGNAME MOVE "matchs" TO SUBPRGARG END-IF DISPLAY SUBPRGNAME " " SUBPRGARG CALL SUBPRGNAME USING SUBPRGARG. END-SEND-CLOUD.
A little bit of brute forcing yields the argument lengths required to load SUBPRGARG and SUBPRGNAME – but invoking “CALL ls USING /” yields nothing meaningful. A little while of Google later, and we stumble across the SYSTEM COBOL module, and a working exploit appears:
Thankyou to the organisers of INS’Hack for putting this challenge together, and coming up with some really creative challenges.
I realize I haven’t written anything for the past few months, and truth told, haven’t been pushing myself to work as hard on side projects (at least to completion). I acknowledge this weakness and strive to correct it – I look forward to another year of pushing my boundaries.