[DevCTF 2022] ManDir
Hmm… quite an interesting text box, but one that seemingly does nothing. Wonder what sits behind it.
The homepage mentions pandoc, and provides a text box for the input. Pandoc is popularly used for converting markdown to HTML. Let’s try it for this webpage.
As expected, the page converts markdown to HTML and displays it to us. We can assume that all of this is being done through Pandoc. If you read more about pandoc, it is a haskell library for converting from one markup format to the other. If you go through some CVEs for pandoc you might find script injection vulnerability in its older versions. Maybe we could try that vulnerability with this version as well.
<script src="file:///etc/passwd"></script>
As you can see, the file contents are listed. This means we can read arbitrary files on the system.
Now, the challenge name is ManDir which breaks down to man-dir or the man page directory. The most obvious place to check is the pandoc’s man page.
If you read about man pages, you will find that they are usually compressed using gzip. The default man page of pandoc is located in
/usr/share/man/man1/pandoc.1.gzHence the natural exploit would be
<script src="file:///usr/share/man/man1/pandoc.1.gz"></script>On entering the payload, we get the following response.
Note that to make things easy, the request header includes an
Accept-Encoding: gzip, deflateThis means the gzip file is deflated in the response.
Voila! We have the flag
CTF{pandoc_for_d_win!!!}
